rest-server/examples/systemd/rest-server.service

[Unit]
Description=Rest Server
After=syslog.target
After=network.target

[Service]
Type=simple
User=www-data
Group=www-data
ExecStart=/usr/local/bin/rest-server --path /path/to/backups
Restart=always
RestartSec=5
# Makes created files group-readable, but inaccessible by others
UMask=027

# Recommended security enhancements using features present in systemd version 247
CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=true
PrivateUsers=true
ProtectSystem=strict
ProtectHome=yes
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectHostname=true
ProcSubset=pid
ReadWritePaths=/path/to/backups
RemoveIPC=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictSUIDSGID=true
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target
Example systemd service file 2016-11-07 00:54:32 +01:00			`[Unit]`
Restic server shall be called Rest server from now on The repo moved from github.com/zcalusic/restic-server to the new home github.com/restic/rest-server 2016-12-28 21:52:19 +01:00			`Description=Rest Server`
Example systemd service file 2016-11-07 00:54:32 +01:00			`After=syslog.target`
			`After=network.target`

			`[Service]`
			`Type=simple`
			`User=www-data`
			`Group=www-data`
Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00			`ExecStart=/usr/local/bin/rest-server --path /path/to/backups`
Example systemd service file 2016-11-07 00:54:32 +01:00			`Restart=always`
			`RestartSec=5`
Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`# Makes created files group-readable, but inaccessible by others`
			`UMask=027`
Example systemd service file 2016-11-07 00:54:32 +01:00
Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`# Recommended security enhancements using features present in systemd version 247`
			`CapabilityBoundingSet=`
			`LockPersonality=true`
			`MemoryDenyWriteExecute=true`
Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00			`NoNewPrivileges=yes`
			`PrivateTmp=yes`
Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`PrivateDevices=true`
			`PrivateUsers=true`
Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00			`ProtectSystem=strict`
			`ProtectHome=yes`
Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`ProtectClock=true`
			`ProtectControlGroups=true`
			`ProtectKernelLogs=true`
			`ProtectKernelModules=true`
			`ProtectKernelTunables=true`
			`ProtectProc=invisible`
			`ProtectHostname=true`
			`ProcSubset=pid`
Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00			`ReadWritePaths=/path/to/backups`
Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`RemoveIPC=true`
			`RestrictNamespaces=true`
			`RestrictAddressFamilies=AF_INET AF_INET6`
			`RestrictSUIDSGID=true`
			`RestrictRealtime=true`
			`SystemCallArchitectures=native`
			`SystemCallFilter=@system-service`
Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00
Example systemd service file 2016-11-07 00:54:32 +01:00			`[Install]`
			`WantedBy=multi-user.target`