Harden

author: alex <alex@pdp7.net> 2026-01-27 21:05:23 +0100
committer: alex <alex@pdp7.net> 2026-01-27 21:05:23 +0100
commit: 700b4292795e607640be9e37f90f90c038157631 (patch)
tree: a259421f65dd9f692e76ecb2418911d2c1c86af9 /README.md
parent: e649a976fa4d7bc3e70beda0576a8946ef38de4a (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/README.md b/README.md
index 2a21b42..ec8b5d2 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,28 @@ With `/etc/systemd/system/gemini-from-http.service`:
 [Service]
 LoadCredential=certificates:/etc/apache2/md/domains/
 ExecStart=.../proxy.py --certificates-from-credential certificates
+DynamicUser=true
+CapabilityBoundingSet=
+PrivateDevices=true
+ProtectClock=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+SystemCallArchitectures=native
+MemoryDenyWriteExecute=true
+RestrictNamespaces=true
+ProtectHostname=true
+LockPersonality=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictRealtime=true
+# If you don't put proxy.py in a home directory... ProtectHome=true
+ProtectProc=invisible
+ProcSubset=pid
 PrivateUsers=self
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+UMask=7777
 ```
 
 Systemd injects the certificates to a private path than only `proxy.py` can read.
author	alex <alex@pdp7.net>	2026-01-27 21:05:23 +0100
committer	alex <alex@pdp7.net>	2026-01-27 21:05:23 +0100
commit	700b4292795e607640be9e37f90f90c038157631 (patch)
tree	a259421f65dd9f692e76ecb2418911d2c1c86af9 /README.md
parent	e649a976fa4d7bc3e70beda0576a8946ef38de4a (diff)