Merge pull request 'ipfs: hardened ipfs config' (#13) from claudiomaradonna/dot-files:master into master

Reviewed-on: https://gitea.it/Unitoo/dot-files/pulls/13
This commit is contained in:
Claudio Maradonna 2022-04-24 11:19:14 +02:00
commit 9b3cf76244

View file

@ -1,26 +1,55 @@
[Unit]
Description=IPFS Daemon
Documentation=https://docs.ipfs.io/
After=network.target
[Service]
#Runtime
Environment="IPFS_PATH=/mnt/ipfs"
Environment=IPFS_LOGGING="error"
ExecStart=/home/ipfs/.local/bin/ipfs daemon --enable-gc --migrate
User=ipfs
Restart=on-failure
RestartSec=10s
KillSignal=SIGINT
# hardening
ReadWritePaths=/home/ipfs /mnt/ipfs
NoNewPrivileges=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
PrivateDevices=true
DevicePolicy=closed
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
ProtectHostname=true
PrivateTmp=true
ProtectClock=true
LockPersonality=true
RestrictNamespaces=true
RestrictRealtime=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
#ProtectHome=true
RemoveIPC=true
RestrictSUIDSGID=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#Accounting
LimitNOFILE=10240
LimitNOFILE=8192
#LimitNice=10
MemoryAccounting=true
MemoryHigh=512M
MemoryMax=768M
MemorySwapMax=512M
MemoryHigh=768M
MemoryMax=1024M
MemorySwapMax=0
CPUAccounting=true
CPUQuota=40%
TimeoutStartSec=infinity
Type=notify
Environment="IPFS_PATH=/mnt/ipfs"
Environment=IPFS_LOGGING="error"
Environment=IPFS_FD_MAX=8192
ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate
User=ipfs
Group=ipfs
StateDirectory=ipfs
Restart=on-failure
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target