Systemd service file (#22)

* Add example systemd service file

* Mention systemd service file in README
This commit is contained in:
Thomas Vogt 2024-09-22 18:43:22 +02:00 committed by GitHub
parent 215d32c76e
commit a877ff2d4b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 82 additions and 4 deletions

View file

@ -69,12 +69,10 @@ Or you can run it manually but not recommended since you won't lock down the con
#### Warning #### Warning
We recommend running sig_helper inside a locked down environment like an LXC container or a systemd service where only the strict necessary is allowed.
No example outside of Docker have been written for this but feel free to send your contribution.
This service runs untrusted code directly from Google. This service runs untrusted code directly from Google.
We recommend running sig_helper inside a locked down environment like an LXC container or a systemd service where only the strict necessary is allowed. An examplary systemd service file is provided in `inv_sig_helper.service` which creates a socket in `/home/invidious/tmp/inv_sig_helper.sock`.
#### Instructions #### Instructions
The service can run in Unix socket mode (default) or TCP mode: The service can run in Unix socket mode (default) or TCP mode:

80
inv_sig_helper.service Normal file
View file

@ -0,0 +1,80 @@
[Unit]
Description=inv_sig_helper (decrypt YouTube signatures and manage player information)
After=syslog.target
After=network.target
[Service]
RestartSec=2s
Type=simple
User=invidious
Group=invidious
# allow only the strict necessary since this service runs untrusted code directly from Google
CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP
CapabilityBoundingSet=~CAP_SYS_ADMIN
CapabilityBoundingSet=~CAP_SYS_PTRACE
CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP
CapabilityBoundingSet=~CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER
CapabilityBoundingSet=~CAP_NET_ADMIN
CapabilityBoundingSet=~CAP_SYS_MODULE
CapabilityBoundingSet=~CAP_SYS_RAWIO
CapabilityBoundingSet=~CAP_SYS_TIME
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_KILL
CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYSLOG
CapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCE
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_SYS_BOOT
CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE
CapabilityBoundingSet=~CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_SYS_CHROOT
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
CapabilityBoundingSet=~CAP_LEASE
CapabilityBoundingSet=~CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_WAKE_ALARM
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProcSubset=pid
ProtectControlGroups=true
ProtectHome=tmpfs
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@swap
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@obsolete
BindReadOnlyPaths=/home/invidious/inv_sig_helper
BindPaths=/home/invidious/tmp
WorkingDirectory=/home/invidious/inv_sig_helper
ExecStart=/home/invidious/inv_sig_helper/target/release/inv_sig_helper_rust /home/invidious/tmp/inv_sig_helper.sock
Restart=always
[Install]
WantedBy=multi-user.target