mirror of
https://github.com/svenstaro/miniserve
synced 2024-06-29 06:04:30 +00:00
Add hardened systemd unit file
This commit is contained in:
parent
13e0d512d3
commit
26395cd359
|
@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
|
|||
<!-- next-header -->
|
||||
|
||||
## [Unreleased] - ReleaseDate
|
||||
- Add hardened systemd template unit file to `packaging/miniserve@.service`
|
||||
|
||||
## [0.14.0] - 2021-04-18
|
||||
- Fix breadcrumbs for right-to-left languages [#489](https://github.com/svenstaro/miniserve/pull/489) (thanks @aliemjay)
|
||||
|
|
23
README.md
23
README.md
|
@ -205,6 +205,29 @@ few examples with common paths are provided below:
|
|||
# For fish
|
||||
miniserve --print-completions fish > ~/.config/fish/completions/miniserve.fish
|
||||
|
||||
## systemd
|
||||
|
||||
A hardened systemd-compatible unit file can be found in `packaging/miniserve@.service`. You could
|
||||
install this to `/etc/systemd/system/miniserve@.service` and start and enable `miniserve` as a
|
||||
daemon on a specific serve path `/my/serve/path` like this:
|
||||
|
||||
systemctl enable --now miniserve@-my-serve-path
|
||||
|
||||
Keep in mind that you'll have to use `systemd-escape` to properly escape a path for this usage.
|
||||
|
||||
In case you want to customize the particular flags that miniserve launches with, you can use
|
||||
|
||||
systemctl edit miniserve@-my-serve-path
|
||||
|
||||
and set the `[Service]` part in the resulting `override.conf` file. For instance:
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/miniserve --enable-tar --enable-zip --no-symlinks --verbose -i ::1 -p 1234 --title Saugeland --color-scheme monokai --color-scheme-dark monokai -- %I
|
||||
|
||||
Make sure to leave the `%I` at the very end in place or the wrong path might be served. You
|
||||
might additionally have to override `IPAddressAllow` and `IPAddressDeny` if you plan on making
|
||||
miniserve directly available on a public interface.
|
||||
|
||||
## Binding behavior
|
||||
|
||||
For convenience reasons, miniserve will try to bind on all interfaces by default (if no `-i` is provided).
|
||||
|
|
28
packaging/miniserve@.service
Normal file
28
packaging/miniserve@.service
Normal file
|
@ -0,0 +1,28 @@
|
|||
[Unit]
|
||||
Description=miniserve for %i
|
||||
After=network-online.target
|
||||
Wants=network-online.target systemd-networkd-wait-online.service
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/miniserve -- %I
|
||||
|
||||
IPAccounting=yes
|
||||
IPAddressAllow=localhost
|
||||
IPAddressDeny=any
|
||||
DynamicUser=yes
|
||||
PrivateTmp=yes
|
||||
PrivateUsers=yes
|
||||
PrivateDevices=yes
|
||||
NoNewPrivileges=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=yes
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectProc=invisible
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Loading…
Reference in New Issue
Block a user