From be6bc18625fbc225fd32d9598f5cf417de847435 Mon Sep 17 00:00:00 2001
From: Harsh Shandilya <harsh@prjkt.io>
Date: Wed, 14 Feb 2018 23:12:12 +0530
Subject: [PATCH] jarvis-bot: Sync some security settings with caddy upstream

Signed-off-by: Harsh Shandilya <harsh@prjkt.io>
---
 jarvis-bot.service | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/jarvis-bot.service b/jarvis-bot.service
index 984ddee..e1d1e3a 100644
--- a/jarvis-bot.service
+++ b/jarvis-bot.service
@@ -3,11 +3,26 @@ Description=Jarvis-CI-Bot service
 After=network.target
 
 [Service]
+Restart=on-abort
 Type=simple
 User=bot
 WorkingDirectory=/home/bot/jarvis-ci-bot
 ExecStart=/home/bot/jarvis-ci-bot/build.py
-Restart=on-abort
+ExecReload=/bin/kill -USR1 $MAINPID
+
+; Use graceful shutdown with a reasonable timeout
+KillMode=mixed
+KillSignal=SIGQUIT
+TimeoutStopSec=5s
+
+; Use private /tmp and /var/tmp, which are discarded after caddy stops.
+PrivateTmp=true
+; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
+PrivateDevices=false
+; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+; Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
 
 [Install]
 WantedBy=multi-user.target
\ No newline at end of file