Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add systemd service example #125

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add systemd service example #125

wants to merge 1 commit into from

Conversation

davispuh
Copy link

@davispuh davispuh commented Jan 28, 2024
edited

If you want to run it 24/7 as proper systemd service then it's useful to have .service. I tried to harden it as much as possible, only few things could be tweaked more like SystemCallFilter but this already should be good enough.

$ systemd-analyze security bitmagnet
[...]
→ Overall exposure level for bitmagnet.service: 1.2 OK 🙂 (lower number means most secure, 10 is most unsafe)

And here's bonus nginx config

upstream bitmagnet {
    server 127.0.0.1:3333;
}

server {
    listen 443 ssl;

    server_name bitmagnet.example.org;

    access_log  /var/log/nginx/bitmagnet.access.log;
    error_log   /var/log/nginx/bitmagnet.error.log;

    # Consider using some auth if you want allow non-local
    allow 127.0.0.0/8;
    allow ::1/128;
    deny all;

    ssl_certificate "/etc/letsencrypt/live/bitmagnet.example.org/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/bitmagnet.example.org/privkey.pem";
    ssl_trusted_certificate "/etc/letsencrypt/live/bitmagnet.example.org/chain.pem";

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=31536000" always;
    add_header X-Frame-Options "DENY";
    add_header X-Content-Type-Options "nosniff";
    add_header Content-Security-Policy "default-src 'self' https:; object-src 'none; frame-src 'none'; base-uri 'self'; img-src https: data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; connect-src https:; sandbox allow-same-origin allow-scripts allow-downloads; trusted-types; require-trusted-types-for 'script';

    location / {
        proxy_pass http://bitmagnet;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

}

@mgdigital
Copy link
Collaborator

Thanks for this @davispuh . I'm open to adding this, though might it be better in the form of a tutorial for the website? I'd want to do a bit of testing first, which will require some set-up work for me as I'm running through Docker. I will get round to this when I can unless someone can beat me to it and do an independent review of this....

@davispuh
Copy link
Author

though might it be better in the form of a tutorial for the website?

It can be useful for both. For packaging use case only actual copyable file is usable since trying to extract it out doesn't seem good idea and then everyone would just have their own copies which wouldn't get updated hence copyable upstream file is better.

@davispuh davispuh mentioned this pull request Jan 28, 2024
Closed
@hardKOrr
Copy link

I created a bitmagnet LXC and used this service file (updating user/group) and have been running successfully for a couple days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@davispuh @mgdigital @hardKOrr