From 4234e4b50563ffe28544a7a1888867e04b19f301 Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Sun, 24 Apr 2022 10:21:28 +0200 Subject: [PATCH] ipfs: hardened ipfs config --- ipfs/lib/systemd/system/ipfs.service | 55 +++++++++++++++++++++------- 1 file changed, 42 insertions(+), 13 deletions(-) diff --git a/ipfs/lib/systemd/system/ipfs.service b/ipfs/lib/systemd/system/ipfs.service index 6661590..20ac290 100644 --- a/ipfs/lib/systemd/system/ipfs.service +++ b/ipfs/lib/systemd/system/ipfs.service @@ -1,26 +1,55 @@ [Unit] Description=IPFS Daemon +Documentation=https://docs.ipfs.io/ After=network.target [Service] -#Runtime -Environment="IPFS_PATH=/mnt/ipfs" -Environment=IPFS_LOGGING="error" -ExecStart=/home/ipfs/.local/bin/ipfs daemon --enable-gc --migrate -User=ipfs -Restart=on-failure -RestartSec=10s -KillSignal=SIGINT +# hardening +ReadWritePaths=/home/ipfs /mnt/ipfs +NoNewPrivileges=true +ProtectSystem=strict +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +PrivateDevices=true +DevicePolicy=closed +ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +ProtectHostname=true +PrivateTmp=true +ProtectClock=true +LockPersonality=true +RestrictNamespaces=true +RestrictRealtime=true +MemoryDenyWriteExecute=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged +#ProtectHome=true +RemoveIPC=true +RestrictSUIDSGID=true +CapabilityBoundingSet=CAP_NET_BIND_SERVICE -#Accounting -LimitNOFILE=10240 +LimitNOFILE=8192 #LimitNice=10 MemoryAccounting=true -MemoryHigh=512M -MemoryMax=768M -MemorySwapMax=512M +MemoryHigh=768M +MemoryMax=1024M +MemorySwapMax=0 CPUAccounting=true CPUQuota=40% +TimeoutStartSec=infinity + +Type=notify +Environment="IPFS_PATH=/mnt/ipfs" +Environment=IPFS_LOGGING="error" +Environment=IPFS_FD_MAX=8192 +ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate +User=ipfs +Group=ipfs +StateDirectory=ipfs +Restart=on-failure +KillSignal=SIGINT [Install] WantedBy=multi-user.target