Systemd service file (#22)
* Add example systemd service file * Mention systemd service file in README
This commit is contained in:
parent
215d32c76e
commit
a877ff2d4b
2 changed files with 82 additions and 4 deletions
|
@ -69,12 +69,10 @@ Or you can run it manually but not recommended since you won't lock down the con
|
|||
|
||||
#### Warning
|
||||
|
||||
We recommend running sig_helper inside a locked down environment like an LXC container or a systemd service where only the strict necessary is allowed.
|
||||
|
||||
No example outside of Docker have been written for this but feel free to send your contribution.
|
||||
|
||||
This service runs untrusted code directly from Google.
|
||||
|
||||
We recommend running sig_helper inside a locked down environment like an LXC container or a systemd service where only the strict necessary is allowed. An examplary systemd service file is provided in `inv_sig_helper.service` which creates a socket in `/home/invidious/tmp/inv_sig_helper.sock`.
|
||||
|
||||
#### Instructions
|
||||
|
||||
The service can run in Unix socket mode (default) or TCP mode:
|
||||
|
|
80
inv_sig_helper.service
Normal file
80
inv_sig_helper.service
Normal file
|
@ -0,0 +1,80 @@
|
|||
[Unit]
|
||||
Description=inv_sig_helper (decrypt YouTube signatures and manage player information)
|
||||
After=syslog.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
RestartSec=2s
|
||||
Type=simple
|
||||
|
||||
User=invidious
|
||||
Group=invidious
|
||||
|
||||
# allow only the strict necessary since this service runs untrusted code directly from Google
|
||||
CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP
|
||||
CapabilityBoundingSet=~CAP_SYS_ADMIN
|
||||
CapabilityBoundingSet=~CAP_SYS_PTRACE
|
||||
CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP
|
||||
CapabilityBoundingSet=~CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER
|
||||
CapabilityBoundingSet=~CAP_NET_ADMIN
|
||||
CapabilityBoundingSet=~CAP_SYS_MODULE
|
||||
CapabilityBoundingSet=~CAP_SYS_RAWIO
|
||||
CapabilityBoundingSet=~CAP_SYS_TIME
|
||||
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
|
||||
CapabilityBoundingSet=~CAP_KILL
|
||||
CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
|
||||
CapabilityBoundingSet=~CAP_SYSLOG
|
||||
CapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCE
|
||||
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
|
||||
CapabilityBoundingSet=~CAP_SYS_BOOT
|
||||
CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE
|
||||
CapabilityBoundingSet=~CAP_IPC_LOCK
|
||||
CapabilityBoundingSet=~CAP_SYS_CHROOT
|
||||
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
|
||||
CapabilityBoundingSet=~CAP_LEASE
|
||||
CapabilityBoundingSet=~CAP_SYS_PACCT
|
||||
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
|
||||
CapabilityBoundingSet=~CAP_WAKE_ALARM
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
PrivateUsers=true
|
||||
ProcSubset=pid
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=tmpfs
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectProc=invisible
|
||||
ProtectSystem=strict
|
||||
RemoveIPC=true
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
RestrictNamespaces=true
|
||||
RestrictSUIDSGID=true
|
||||
RestrictRealtime=true
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=~@clock
|
||||
SystemCallFilter=~@debug
|
||||
SystemCallFilter=~@module
|
||||
SystemCallFilter=~@mount
|
||||
SystemCallFilter=~@raw-io
|
||||
SystemCallFilter=~@reboot
|
||||
SystemCallFilter=~@swap
|
||||
SystemCallFilter=~@privileged
|
||||
SystemCallFilter=~@resources
|
||||
SystemCallFilter=~@cpu-emulation
|
||||
SystemCallFilter=~@obsolete
|
||||
|
||||
BindReadOnlyPaths=/home/invidious/inv_sig_helper
|
||||
BindPaths=/home/invidious/tmp
|
||||
|
||||
WorkingDirectory=/home/invidious/inv_sig_helper
|
||||
ExecStart=/home/invidious/inv_sig_helper/target/release/inv_sig_helper_rust /home/invidious/tmp/inv_sig_helper.sock
|
||||
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Loading…
Reference in a new issue