commit 5c31f7b2fe87f7e1919e7ed20abbab68eede4084 (tree) parent 3981d56ee9c797d12cffb2de9881ebfa79ece505 Author: Motiejus Jakštys <desired.mta@gmail.com> Date: Wed, 15 Apr 2020 08:13:29 +0300 demo Diffstat:
| M | bin/bin/prepare_container.sh | | | 2 | +- |
| A | root/rpi4b/etc/systemd/system/webs-prep.service | | | 8 | ++++++++ |
| A | root/rpi4b/etc/systemd/system/webs.service | | | 34 | ++++++++++++++++++++++++++++++++++ |
3 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/bin/bin/prepare_container.sh b/bin/bin/prepare_container.sh @@ -11,7 +11,7 @@ prepare_container() { if [[ -d "$dir" ]]; then if [[ -f "$dir/.extract_done" ]]; then echo "$dir already has the filesystem extracted" - return + exit 0 fi if [[ ! -f "$dir/.extract_started" ]]; then diff --git a/root/rpi4b/etc/systemd/system/webs-prep.service b/root/rpi4b/etc/systemd/system/webs-prep.service @@ -0,0 +1,8 @@ +[Unit] +Description=Some isolated web service +After=network.target network-online.target bigdisk.mount +Requires=bigdisk.mount + +[Service] +Type=oneoff +ExecStart=/home/motiejus/bin/prepare_container.sh /bigdisk/python3 python:3-alpine diff --git a/root/rpi4b/etc/systemd/system/webs.service b/root/rpi4b/etc/systemd/system/webs.service @@ -0,0 +1,34 @@ +[Unit] +Description=Some isolated web service +After=network.target network-online.target webs-prep.service +Requires=webs-prep.service + +[Service] +Type=simple +RestartSec=3 +Restart=always +ExecStart=/usr/local/bin/python3 -m http.server + +# Hardening +RootDirectory=/bigdisk/python3 +DynamicUser=true +PrivateUsers=true +MountAPIVFS=true + +# Misc hardening +SystemCallArchitectures=native +MemoryDenyWriteExecute=true +NoNewPrivileges=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +PrivateDevices=true +CapabilityBoundingSet= +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ProtectHostname=true +RestrictNamespaces=true +RestrictRealtime=true +LockPersonality=true + +[Install] +WantedBy=multi-user.target