mirror of
https://github.com/msfjarvis/server-config.git
synced 2024-06-03 04:08:58 +05:30
jarvis-bot: Sync some security settings with caddy upstream
Signed-off-by: Harsh Shandilya <harsh@prjkt.io>
This commit is contained in:
parent
96f929bd8a
commit
be6bc18625
|
@ -3,11 +3,26 @@ Description=Jarvis-CI-Bot service
|
|||
After=network.target
|
||||
|
||||
[Service]
|
||||
Restart=on-abort
|
||||
Type=simple
|
||||
User=bot
|
||||
WorkingDirectory=/home/bot/jarvis-ci-bot
|
||||
ExecStart=/home/bot/jarvis-ci-bot/build.py
|
||||
Restart=on-abort
|
||||
ExecReload=/bin/kill -USR1 $MAINPID
|
||||
|
||||
; Use graceful shutdown with a reasonable timeout
|
||||
KillMode=mixed
|
||||
KillSignal=SIGQUIT
|
||||
TimeoutStopSec=5s
|
||||
|
||||
; Use private /tmp and /var/tmp, which are discarded after caddy stops.
|
||||
PrivateTmp=true
|
||||
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
|
||||
PrivateDevices=false
|
||||
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
|
||||
ProtectHome=true
|
||||
; Make /usr, /boot, /etc and possibly some more folders read-only.
|
||||
ProtectSystem=full
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Loading…
Reference in New Issue
Block a user