DAW/furt
2
0
Fork 0
Code Issues 11 Pull requests Projects Releases 3 Packages 1 Wiki Activity Actions
furt/deployment/linux/furt.service
michael 24bd94dec4 feat(deployment): add systemd security hardening 
- Add ProtectSystem=strict for read-only filesystem
- Add ReadWritePaths for required directories
- Add ProtectHome=yes to block home access
- Add NoNewPrivileges=yes to prevent escalation
- Add PrivateTmp=yes for isolated temp space
- Add RestrictAddressFamilies=AF_INET for IPv4-only

Related DAW/furt#110
2025-09-07 18:40:32 +02:00

33 lines
612 B
Desktop File
Raw Blame History

[Unit]
Description=furt Multi-Tenant API Gateway (Security-Hardened)
After=network.target
[Service]
Type=forking
User=furt
Group=furt
ExecStart=/usr/local/share/furt/scripts/start.sh
PIDFile=/var/run/furt/furt.pid
WorkingDirectory=/usr/local/share/furt
Restart=always
RestartSec=5
StandardOutput=journal
StandardError=journal
# === SECURITY HARDENING ===
# Filesystem Protection
ProtectSystem=strict
ReadWritePaths=/var/run/furt /var/log/furt
ProtectHome=yes
# Process Hardening
NoNewPrivileges=yes
PrivateTmp=yes
# Network Restriction
RestrictAddressFamilies=AF_INET
[Install]
WantedBy=multi-user.target
Reference in a new issue View git blame Copy permalink