~ancarda/tls-redirector

Tweak SystemD files v1 APPLIED

somini
somini: 1
 Tweak SystemD files

 3 files changed, 17 insertions(+), 7 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.sr.ht/~ancarda/tls-redirector/patches/16091/mbox | git am -3
Learn more about email & git
View this thread in the archives

[PATCH] Tweak SystemD files Export this patch

somini
- Default to using systemd socket activation
- Improve security for service
- Automatically create the folder for ACME usage

This is implemented here:
https://aur.archlinux.org/packages/tls-redirector/
---
 systemd/tls-redirector.service       | 18 ++++++++++++------
 systemd/tls-redirector.socket        |  2 +-
 systemd/tls-redirector.tmpfiles.conf |  4 ++++
 3 files changed, 17 insertions(+), 7 deletions(-)
 create mode 100644 systemd/tls-redirector.tmpfiles.conf

diff --git a/systemd/tls-redirector.service b/systemd/tls-redirector.service
index 34f09f1..29a037c 100644
--- a/systemd/tls-redirector.service
+++ b/systemd/tls-redirector.service
@@ -1,10 +1,16 @@
[Unit]
Description=TLS Redirector (http to https)
After=tls-redirector.socket
Description=TLS Redirector

[Service]
#Environment=ACME_CHALLENGE_DIR=/tmp
Type=simple
ExecStart=/usr/bin/tls-redirector
Restart=on-failure
User=nobody
# Use SystemD activation
Environment=PORT=systemd
Environment=ACME_CHALLENGE_DIR=%C/acme-challenge/.well-known/acme-challenge
# Security
DynamicUser=yes
ProtectHome=tmpfs
PrivateDevices=yes
ProtectHostname=yes
## No need to be able to bind to sockets
CapabilityBoundingSet=
RestrictNamespaces=
diff --git a/systemd/tls-redirector.socket b/systemd/tls-redirector.socket
index ffc8c67..0c4d70c 100644
--- a/systemd/tls-redirector.socket
+++ b/systemd/tls-redirector.socket
@@ -1,5 +1,5 @@
[Unit]
Description=TLS Redirector Port 80 (socket)
Description=TLS Redirector Socket
After=network.target

[Socket]
diff --git a/systemd/tls-redirector.tmpfiles.conf b/systemd/tls-redirector.tmpfiles.conf
new file mode 100644
index 0000000..af19de3
--- /dev/null
+++ b/systemd/tls-redirector.tmpfiles.conf
@@ -0,0 +1,4 @@
#Type	Path	Mode	User	Group	Age	Argument
d	%C/acme-challenge	0755	-	-	-	-
d	%C/acme-challenge/.well-known	0755	-	-	-	-
d	%C/acme-challenge/.well-known/acme-challenge	0755	-	-	-	-
-- 
2.29.2
Hi,

Sorry for the delay in getting back to you.

This patch looks good - thank you for sending it. I'd like to merge
most of the changes like DynamicUser but I have a few questions about
how HTTP ACME challenges are done now.



December 22, 2020 7:07 PM, "somini" <dev@somini.xyz> wrote: