somini: 1 Tweak SystemD files 3 files changed, 17 insertions(+), 7 deletions(-)
Copy & paste the following snippet into your terminal to import this patchset into git:
curl -s https://lists.sr.ht/~ancarda/tls-redirector/patches/16091/mbox | git am -3Learn more about email & git
- Default to using systemd socket activation - Improve security for service - Automatically create the folder for ACME usage This is implemented here: https://aur.archlinux.org/packages/tls-redirector/ --- systemd/tls-redirector.service | 18 ++++++++++++------ systemd/tls-redirector.socket | 2 +- systemd/tls-redirector.tmpfiles.conf | 4 ++++ 3 files changed, 17 insertions(+), 7 deletions(-) create mode 100644 systemd/tls-redirector.tmpfiles.conf diff --git a/systemd/tls-redirector.service b/systemd/tls-redirector.service index 34f09f1..29a037c 100644 --- a/systemd/tls-redirector.service +++ b/systemd/tls-redirector.service @@ -1,10 +1,16 @@ [Unit] -Description=TLS Redirector (http to https) -After=tls-redirector.socket +Description=TLS Redirector [Service] -#Environment=ACME_CHALLENGE_DIR=/tmp -Type=simple ExecStart=/usr/bin/tls-redirector -Restart=on-failure -User=nobody +# Use SystemD activation +Environment=PORT=systemd +Environment=ACME_CHALLENGE_DIR=%C/acme-challenge/.well-known/acme-challenge
Is this directory meant to be created by systemd? I don't understand how the tmpfiles.conf file is suppose to work. The stock configuration in git has this line commented out so out-of-the-box it will just launch, and this can be enabled if people want it.The tmpfiles format is documented in tmpfiles.d(5). Basically, it will guarantee that directory tree is created on boot (and when installing the package). This is so that HTTP validation works outside the box. If the user configures certbot to use DNS validation, those three directories have been created in vain, but that's fine. For the AUR package, I print a message to the user to configure certbot HTTP validation to point to that top directory. https://aur.archlinux.org/cgit/aur.git/tree/tls-redirector.install?h=tls-redirectorI generally encourage people to use the DNS based ACME challenge.
+# Security +DynamicUser=yes +ProtectHome=tmpfs +PrivateDevices=yes +ProtectHostname=yes +## No need to be able to bind to sockets +CapabilityBoundingSet= +RestrictNamespaces= diff --git a/systemd/tls-redirector.socket b/systemd/tls-redirector.socket index ffc8c67..0c4d70c 100644 --- a/systemd/tls-redirector.socket +++ b/systemd/tls-redirector.socket @@ -1,5 +1,5 @@ [Unit] -Description=TLS Redirector Port 80 (socket) +Description=TLS Redirector Socket After=network.target [Socket] diff --git a/systemd/tls-redirector.tmpfiles.conf b/systemd/tls-redirector.tmpfiles.conf new file mode 100644 index 0000000..af19de3 --- /dev/null +++ b/systemd/tls-redirector.tmpfiles.conf @@ -0,0 +1,4 @@ +#Type Path Mode User Group Age Argument +d %C/acme-challenge 0755 - - - - +d %C/acme-challenge/.well-known 0755 - - - - +d %C/acme-challenge/.well-known/acme-challenge 0755 - - - - -- 2.29.2
Hi, Sorry for the delay in getting back to you. This patch looks good - thank you for sending it. I'd like to merge most of the changes like DynamicUser but I have a few questions about how HTTP ACME challenges are done now. December 22, 2020 7:07 PM, "somini" <dev@somini.xyz> wrote:
Did you need to add this two lines in? Socket activation should be detected automatically - "PORT=systemd" is more for backwards compatibility or debugging these days.