mirror of
https://github.com/PurpleI2P/i2pd.git
synced 2025-02-23 12:17:37 +01:00
Hardening and more for the systemd service
Performance improvements, auto-restart on failure to prevent unattended routers from shutting down by accident, and leveraging systemd's security features.
This commit is contained in:
analotia
GitHub
parent
024c29b180
commit
d7541db659
1 changed files with 36 additions and 6 deletions
|
|
@ -1,21 +1,26 @@
|
||||||
|
# /etc/systemd/system/i2pd.service
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=I2P Router written in C++
|
Description=I2P Router written in C++
|
||||||
Documentation=man:i2pd(1) https://i2pd.readthedocs.io/en/latest/
|
Documentation=man:i2pd(1) https://i2pd.readthedocs.io/en/latest/
|
||||||
After=network.target
|
After=network.target
|
||||||
|
ConditionFileIsExecutable=/usr/sbin/i2pd
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
User=i2pd
|
User=i2pd
|
||||||
Group=i2pd
|
Group=i2pd
|
||||||
|
PermissionsStartOnly=yes
|
||||||
|
|
||||||
RuntimeDirectory=i2pd
|
RuntimeDirectory=i2pd
|
||||||
RuntimeDirectoryMode=0700
|
RuntimeDirectoryMode=0700
|
||||||
LogsDirectory=i2pd
|
LogsDirectory=i2pd
|
||||||
LogsDirectoryMode=0700
|
LogsDirectoryMode=0700
|
||||||
Type=forking
|
Type=exec
|
||||||
ExecStart=/usr/sbin/i2pd --conf=/etc/i2pd/i2pd.conf --tunconf=/etc/i2pd/tunnels.conf --tunnelsdir=/etc/i2pd/tunnels.conf.d --pidfile=/run/i2pd/i2pd.pid --logfile=/var/log/i2pd/i2pd.log --daemon --service
|
Environment="DAEMON_OPTS=--conf=/etc/i2pd/i2pd.conf --tunconf=/etc/i2pd/tunnels.conf --tunnelsdir=/etc/i2pd/tunnels.conf.d --pidfile=/run/i2pd/i2pd.pid --logfile=/var/log/i2pd/i2pd.log --service"
|
||||||
|
EnvironmentFile=-/etc/default/i2pd
|
||||||
|
ExecStart=/usr/sbin/i2pd $DAEMON_OPTS
|
||||||
ExecReload=/bin/sh -c "kill -HUP $MAINPID"
|
ExecReload=/bin/sh -c "kill -HUP $MAINPID"
|
||||||
PIDFile=/run/i2pd/i2pd.pid
|
PIDFile=/run/i2pd/i2pd.pid
|
||||||
### Uncomment, if auto restart needed
|
Restart=on-failure
|
||||||
#Restart=on-failure
|
|
||||||
|
|
||||||
KillSignal=SIGQUIT
|
KillSignal=SIGQUIT
|
||||||
# If you have the patience waiting 10 min on restarting/stopping it, uncomment this.
|
# If you have the patience waiting 10 min on restarting/stopping it, uncomment this.
|
||||||
|
|
@ -23,10 +28,35 @@ KillSignal=SIGQUIT
|
||||||
#KillSignal=SIGINT
|
#KillSignal=SIGINT
|
||||||
#TimeoutStopSec=10m
|
#TimeoutStopSec=10m
|
||||||
|
|
||||||
# If you have problems with hanging i2pd, you can try increase this
|
LimitNOFILE=65536
|
||||||
LimitNOFILE=4096
|
|
||||||
# To enable write of coredump uncomment this
|
# To enable write of coredump uncomment this
|
||||||
#LimitCORE=infinity
|
#LimitCORE=infinity
|
||||||
|
|
||||||
|
# Hardening
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateUsers=true
|
||||||
|
PrivateDevices=yes
|
||||||
|
ProtectHome=yes
|
||||||
|
ProtectSystem=full
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
ProtectSystem=strict
|
||||||
|
RestrictAddressFamilies=AF_INET AF_INET6
|
||||||
|
RestrictNamespaces=cgroup ipc mnt pid user uts
|
||||||
|
RestrictRealtime=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
RemoveIPC=true
|
||||||
|
ReadOnlyDirectories=/
|
||||||
|
ReadWriteDirectories=-/proc
|
||||||
|
ReadWriteDirectories=-/var/lib/i2pd
|
||||||
|
ReadWriteDirectories=-/var/log/i2pd
|
||||||
|
ReadWriteDirectories=-/run
|
||||||
|
CapabilityBoundingSet=
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue