ipfs: hardened ipfs config

ipfs/lib/systemd/system/ipfs.service

@@ -1,26 +1,55 @@
 [Unit]
 Description=IPFS Daemon
+Documentation=https://docs.ipfs.io/
 After=network.target
 
 [Service]
-#Runtime
-Environment="IPFS_PATH=/mnt/ipfs"
-Environment=IPFS_LOGGING="error"
-ExecStart=/home/ipfs/.local/bin/ipfs daemon --enable-gc --migrate
-User=ipfs
-Restart=on-failure
-RestartSec=10s
-KillSignal=SIGINT
+# hardening
+ReadWritePaths=/home/ipfs /mnt/ipfs
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+PrivateDevices=true
+DevicePolicy=closed
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+ProtectHostname=true
+PrivateTmp=true
+ProtectClock=true
+LockPersonality=true
+RestrictNamespaces=true
+RestrictRealtime=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+#ProtectHome=true
+RemoveIPC=true
+RestrictSUIDSGID=true
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
-#Accounting
-LimitNOFILE=10240
+LimitNOFILE=8192
 #LimitNice=10
 MemoryAccounting=true
-MemoryHigh=512M
-MemoryMax=768M
-MemorySwapMax=512M
+MemoryHigh=768M
+MemoryMax=1024M
+MemorySwapMax=0
 CPUAccounting=true
 CPUQuota=40%
+TimeoutStartSec=infinity
+
+Type=notify
+Environment="IPFS_PATH=/mnt/ipfs"
+Environment=IPFS_LOGGING="error"
+Environment=IPFS_FD_MAX=8192
+ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate
+User=ipfs
+Group=ipfs
+StateDirectory=ipfs
+Restart=on-failure
+KillSignal=SIGINT
 
 [Install]
 WantedBy=multi-user.target