ipfs: hardened ipfs config

ipfs/lib/systemd/system/ipfs.service

@@ -1,26 +1,55 @@
 [Unit]
 Description=IPFS Daemon
+Documentation=https://docs.ipfs.io/
 After=network.target
 
 [Service]
-#Runtime
+# hardening
-Environment="IPFS_PATH=/mnt/ipfs"
+ReadWritePaths=/home/ipfs /mnt/ipfs
-Environment=IPFS_LOGGING="error"
+NoNewPrivileges=true
-ExecStart=/home/ipfs/.local/bin/ipfs daemon --enable-gc --migrate
+ProtectSystem=strict
-User=ipfs
+ProtectKernelTunables=true
-Restart=on-failure
+ProtectKernelModules=true
-RestartSec=10s
+ProtectKernelLogs=true
-KillSignal=SIGINT
+PrivateDevices=true
+DevicePolicy=closed
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+ProtectHostname=true
+PrivateTmp=true
+ProtectClock=true
+LockPersonality=true
+RestrictNamespaces=true
+RestrictRealtime=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+#ProtectHome=true
+RemoveIPC=true
+RestrictSUIDSGID=true
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
-#Accounting
+LimitNOFILE=8192
-LimitNOFILE=10240
 #LimitNice=10
 MemoryAccounting=true
-MemoryHigh=512M
+MemoryHigh=768M
-MemoryMax=768M
+MemoryMax=1024M
-MemorySwapMax=512M
+MemorySwapMax=0
 CPUAccounting=true
 CPUQuota=40%
+TimeoutStartSec=infinity
+
+Type=notify
+Environment="IPFS_PATH=/mnt/ipfs"
+Environment=IPFS_LOGGING="error"
+Environment=IPFS_FD_MAX=8192
+ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate
+User=ipfs
+Group=ipfs
+StateDirectory=ipfs
+Restart=on-failure
+KillSignal=SIGINT
 
 [Install]
 WantedBy=multi-user.target