From 700b4292795e607640be9e37f90f90c038157631 Mon Sep 17 00:00:00 2001
From: alex <alex@pdp7.net>
Date: Tue, 27 Jan 2026 21:05:23 +0100
Subject: Harden

---
 README.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/README.md b/README.md
index 2a21b42..ec8b5d2 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,28 @@ With `/etc/systemd/system/gemini-from-http.service`:
 [Service]
 LoadCredential=certificates:/etc/apache2/md/domains/
 ExecStart=.../proxy.py --certificates-from-credential certificates
+DynamicUser=true
+CapabilityBoundingSet=
+PrivateDevices=true
+ProtectClock=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+SystemCallArchitectures=native
+MemoryDenyWriteExecute=true
+RestrictNamespaces=true
+ProtectHostname=true
+LockPersonality=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictRealtime=true
+# If you don't put proxy.py in a home directory... ProtectHome=true
+ProtectProc=invisible
+ProcSubset=pid
 PrivateUsers=self
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+UMask=7777
 ```
 
 Systemd injects the certificates to a private path than only `proxy.py` can read.
-- 
cgit v1.2.3