diff options
| -rw-r--r-- | README.md | 21 |
1 files changed, 21 insertions, 0 deletions
@@ -12,7 +12,28 @@ With `/etc/systemd/system/gemini-from-http.service`: [Service] LoadCredential=certificates:/etc/apache2/md/domains/ ExecStart=.../proxy.py --certificates-from-credential certificates +DynamicUser=true +CapabilityBoundingSet= +PrivateDevices=true +ProtectClock=true +ProtectKernelLogs=true +ProtectControlGroups=true +ProtectKernelModules=true +SystemCallArchitectures=native +MemoryDenyWriteExecute=true +RestrictNamespaces=true +ProtectHostname=true +LockPersonality=true +ProtectKernelTunables=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictRealtime=true +# If you don't put proxy.py in a home directory... ProtectHome=true +ProtectProc=invisible +ProcSubset=pid PrivateUsers=self +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +UMask=7777 ``` Systemd injects the certificates to a private path than only `proxy.py` can read. |