A common and reliable pattern in service unit files is thus:
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
Clément Michaud clems4ever
clems4ever
/ systemd_service_hardening.md
Created
September 20, 2022 21:18
— forked from ageis/systemd_service_hardening.md
Options for hardening systemd service units
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "name": "authelia", | |
| "version": "3.7.1", | |
| "lockfileVersion": 1, | |
| "requires": true, | |
| "dependencies": { | |
| "@sinonjs/formatio": { | |
| "version": "2.0.0", | |
| "resolved": "https://registry.npmjs.org/@sinonjs/formatio/-/formatio-2.0.0.tgz", | |
| "integrity": "sha512-ls6CAMA6/5gG+O/IdsBcblvnd8qcO/l1TYoNeAzp3wcISOxlPXQEus0mLcdwazEkWjaBdaJ3TaxmNgCLWwvWzg==", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler | |
| import os | |
| class MyHandler(BaseHTTPRequestHandler): | |
| def do_GET(self): | |
| self.send_response(200) | |
| self.send_header('Content-type', 'text/html') | |
| self.end_headers() | |
| self.wfile.write('<html><head><title>Hello Criteo</title></head><body><h1>Hello Criteo!</h1></body></html>') | |
| def log_message(self, format, *args): |
clems4ever
/ custom-chain-enforcement.service
Last active
July 18, 2019 17:49
docker-swarm iptables FORWARD custom chain enforcement
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Unit] | |
| Description=Public filter enforcement Service | |
| [Service] | |
| Type=simple | |
| ExecStart=/home/user/custom-chain-enforcement.sh | |
| KillMode=mixed | |
| TimeoutStartSec=0 | |
| RestartSec=0 |
clems4ever
/ ansible-docker-network.yml
Last active
July 24, 2024 11:11
Deploy a docker service using Ansible within Docker Swarm 1.12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Check if network {{ name }} exists | |
| delegate_to: "{{ groups['docker_swarm_issuer'][0] }}" | |
| run_once: true | |
| command: docker network ls -q --filter name=^{{ name }}$ | |
| register: network_exists | |
| changed_when: false | |
| - name: Create network {{ name }} | |
| command: docker network create --driver {{ driver }} {{ name }} |