jarvis-bot: Sync some security settings with caddy upstream

Signed-off-by: Harsh Shandilya <harsh@prjkt.io>
2024-06-03 04:08:58 +05:30 · 2018-02-14 23:12:12 +05:30 · 2018-02-14 23:12:12 +05:30 · be6bc18625
commit be6bc18625
parent 96f929bd8a
1 changed files with 16 additions and 1 deletions
--- a/jarvis-bot.service
+++ b/jarvis-bot.service
@ -3,11 +3,26 @@ Description=Jarvis-CI-Bot service
 After=network.target

 [Service]
+Restart=on-abort
 Type=simple
 User=bot
 WorkingDirectory=/home/bot/jarvis-ci-bot
 ExecStart=/home/bot/jarvis-ci-bot/build.py
-Restart=on-abort
+ExecReload=/bin/kill -USR1 $MAINPID
+
+; Use graceful shutdown with a reasonable timeout
+KillMode=mixed
+KillSignal=SIGQUIT
+TimeoutStopSec=5s
+
+; Use private /tmp and /var/tmp, which are discarded after caddy stops.
+PrivateTmp=true
+; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
+PrivateDevices=false
+; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+; Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full

 [Install]
 WantedBy=multi-user.target