~ancarda/tls-redirector

d1f22ecd265d5faac4c9fb9ae0e0b1362a4d57e5 — somini 2 months ago 5f0b9ad
Tweak SystemD files

- Default to using systemd socket activation
- Improve security for service
- Automatically create the folder for ACME usage

This is implemented here:
https://aur.archlinux.org/packages/tls-redirector/
M systemd/tls-redirector.service => systemd/tls-redirector.service +12 -6
@@ 1,10 1,16 @@
[Unit]
Description=TLS Redirector (http to https)
After=tls-redirector.socket
Description=TLS Redirector

[Service]
#Environment=ACME_CHALLENGE_DIR=/tmp
Type=simple
ExecStart=/usr/bin/tls-redirector
Restart=on-failure
User=nobody
# Use SystemD activation
Environment=PORT=systemd
Environment=ACME_CHALLENGE_DIR=%C/acme-challenge/.well-known/acme-challenge
# Security
DynamicUser=yes
ProtectHome=tmpfs
PrivateDevices=yes
ProtectHostname=yes
## No need to be able to bind to sockets
CapabilityBoundingSet=
RestrictNamespaces=

M systemd/tls-redirector.socket => systemd/tls-redirector.socket +1 -1
@@ 1,5 1,5 @@
[Unit]
Description=TLS Redirector Port 80 (socket)
Description=TLS Redirector Socket
After=network.target

[Socket]

A systemd/tls-redirector.tmpfiles.conf => systemd/tls-redirector.tmpfiles.conf +4 -0
@@ 0,0 1,4 @@
#Type	Path	Mode	User	Group	Age	Argument
d	%C/acme-challenge	0755	-	-	-	-
d	%C/acme-challenge/.well-known	0755	-	-	-	-
d	%C/acme-challenge/.well-known/acme-challenge	0755	-	-	-	-