~ancarda/tls-redirector: Tweak SystemD files

d1f22ecd265d5faac4c9fb9ae0e0b1362a4d57e5 — somini 2 months ago 5f0b9ad

Tweak SystemD files

- Default to using systemd socket activation
- Improve security for service
- Automatically create the folder for ACME usage

This is implemented here:
https://aur.archlinux.org/packages/tls-redirector/

patch browse

3 files changed, 17 insertions(+), 7 deletions(-)

M systemd/tls-redirector.service
M systemd/tls-redirector.socket
A systemd/tls-redirector.tmpfiles.conf

M systemd/tls-redirector.service => systemd/tls-redirector.service +12 -6

@@ 1,10 1,16 @@
 [Unit]
-Description=TLS Redirector (http to https)
-After=tls-redirector.socket
+Description=TLS Redirector
 
 [Service]
-#Environment=ACME_CHALLENGE_DIR=/tmp
-Type=simple
 ExecStart=/usr/bin/tls-redirector
-Restart=on-failure
-User=nobody
+# Use SystemD activation
+Environment=PORT=systemd
+Environment=ACME_CHALLENGE_DIR=%C/acme-challenge/.well-known/acme-challenge
+# Security
+DynamicUser=yes
+ProtectHome=tmpfs
+PrivateDevices=yes
+ProtectHostname=yes
+## No need to be able to bind to sockets
+CapabilityBoundingSet=
+RestrictNamespaces=

M systemd/tls-redirector.socket => systemd/tls-redirector.socket +1 -1

@@ 1,5 1,5 @@
 [Unit]
-Description=TLS Redirector Port 80 (socket)
+Description=TLS Redirector Socket
 After=network.target
 
 [Socket]

A systemd/tls-redirector.tmpfiles.conf => systemd/tls-redirector.tmpfiles.conf +4 -0

@@ 0,0 1,4 @@
+#Type	Path	Mode	User	Group	Age	Argument
+d	%C/acme-challenge	0755	-	-	-	-
+d	%C/acme-challenge/.well-known	0755	-	-	-	-
+d	%C/acme-challenge/.well-known/acme-challenge	0755	-	-	-	-