-
Notifications
You must be signed in to change notification settings - Fork 0
40 lines (38 loc) · 1.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[Unit]
Description=Git Repositories Caching Server Daemon
[Service]
# It is recommended to have a dedicated system user for the service
User=gitcache
Group=gitcache
EnvironmentFile=/opt/gitcache/git-caching-daemon.conf
ExecStart=/opt/gitcache/git_caching_proxy.py
StandardInput=socket
StandardOutput=inherit
StandardError=journal
# Below are some security hardening directives quickly thrown together from various
# online sources. They may need adjustments for your particular version of systemd
# or configuration.
# For example, on Ubuntu 18.04 LTS, the SystemCallFilter directive does not accept
# the @system-service group.
PrivateTmp=yes
NoNewPrivileges=true
RestrictNamespaces=yes
DevicePolicy=closed
PrivateDevices=yes
PrivateUsers=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
# Adjust ProtectSystem if you require write access to /usr, /etc, or such
ProtectSystem=full
ProtectClock=yes
ProtectProc=invisible
RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
MemoryDenyWriteExecute=yes
LockPersonality=yes
CapabilityBoundingSet=
SystemCallFilter=@system-service @network-io @file-system