~ancarda/tls-redirector

2

[PATCH] Tweak SystemD files

Details
Message ID
<face5f006e615d45294d5e5fac44f3bc@somini.xyz>
DKIM signature
missing
Download raw message

- Default to using systemd socket activation
- Improve security for service
- Automatically create the folder for ACME usage

This is implemented here:
https://aur.archlinux.org/packages/tls-redirector/
---
  systemd/tls-redirector.service       | 18 ++++++++++++------
  systemd/tls-redirector.socket        |  2 +-
  systemd/tls-redirector.tmpfiles.conf |  4 ++++
  3 files changed, 17 insertions(+), 7 deletions(-)
  create mode 100644 systemd/tls-redirector.tmpfiles.conf

diff --git a/systemd/tls-redirector.service 
b/systemd/tls-redirector.service
index 34f09f1..29a037c 100644
--- a/systemd/tls-redirector.service
+++ b/systemd/tls-redirector.service
@@ -1,10 +1,16 @@
  [Unit]
-Description=TLS Redirector (http to https)
-After=tls-redirector.socket
+Description=TLS Redirector

  [Service]
-#Environment=ACME_CHALLENGE_DIR=/tmp
-Type=simple
  ExecStart=/usr/bin/tls-redirector
-Restart=on-failure
-User=nobody
+# Use SystemD activation
+Environment=PORT=systemd
+Environment=ACME_CHALLENGE_DIR=%C/acme-challenge/.well-known/acme-challenge
+# Security
+DynamicUser=yes
+ProtectHome=tmpfs
+PrivateDevices=yes
+ProtectHostname=yes
+## No need to be able to bind to sockets
+CapabilityBoundingSet=
+RestrictNamespaces=
diff --git a/systemd/tls-redirector.socket 
b/systemd/tls-redirector.socket
index ffc8c67..0c4d70c 100644
--- a/systemd/tls-redirector.socket
+++ b/systemd/tls-redirector.socket
@@ -1,5 +1,5 @@
  [Unit]
-Description=TLS Redirector Port 80 (socket)
+Description=TLS Redirector Socket
  After=network.target

  [Socket]
diff --git a/systemd/tls-redirector.tmpfiles.conf 
b/systemd/tls-redirector.tmpfiles.conf
new file mode 100644
index 0000000..af19de3
--- /dev/null
+++ b/systemd/tls-redirector.tmpfiles.conf
@@ -0,0 +1,4 @@
+#Type	Path	Mode	User	Group	Age	Argument
+d	%C/acme-challenge	0755	-	-	-	-
+d	%C/acme-challenge/.well-known	0755	-	-	-	-
+d	%C/acme-challenge/.well-known/acme-challenge	0755	-	-	-	-
-- 
2.29.2
Details
Message ID
<5b5381a9e63bf1b1e939b332e2055d0d@somini.xyz>
In-Reply-To
<face5f006e615d45294d5e5fac44f3bc@somini.xyz> (view parent)
DKIM signature
missing
Download raw message
Weird, this was done just like the other patch. I still haven't got 
around to configure "git send-email", will do this.

I'm sorry about the noise, I don't have much experience with sending 
patches by email yet.
Details
Message ID
<da87fb19dbee0f066abf0a69f77950d3@somini.xyz>
In-Reply-To
<5b5381a9e63bf1b1e939b332e2055d0d@somini.xyz> (view parent)
DKIM signature
missing
Download raw message
On 2020-12-22 12:48, me@somini.xyz wrote:
> Weird, this was done just like the other patch. I still haven't got
> around to configure "git send-email", will do this.
> 
> I'm sorry about the noise, I don't have much experience with sending
> patches by email yet.

In case you want to review this, here's the proper patch:

https://gitlab.com/somini/tls-redirector/-/commit/64fd2b896c6ee9f3ec4ef4871e054b6254e919e4.patch

I'll send it to the mailing list properly later today.
Reply to thread Export thread (mbox)