rest-server/examples/systemd/rest-server.service

[Unit]
Description=Rest Server
After=syslog.target
After=network.target
Requires=rest-server.socket
After=rest-server.socket

[Service]
Type=simple
# You may prefer to use a different user or group on your system.
User=www-data
Group=www-data
ExecStart=/usr/local/bin/rest-server --path /path/to/backups
Restart=always
RestartSec=5

# The following options are available (in systemd v247) to restrict the
# actions of the rest-server.

# As a whole, the purpose of these are to provide an additional layer of
# security by mitigating any unknown security vulnerabilities which may exist
# in rest-server or in the libraries, tools and operating system components
# which it relies upon.

# IMPORTANT!
# The following line must be customised to your individual requirements.
ReadWritePaths=/path/to/backups

# Set to `UMask=007` and pass `--group-accessible-repos` to rest-server to
# make created files group-readable
UMask=077

# If your system doesn't support all of the features below (e.g. because of
# the use of an older version of systemd), you may wish to comment-out
# some of the lines below as appropriate.
CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=yes

# As the listen socket is created by systemd via the rest-server.socket unit, it is
# no longer necessary for rest-server to have access to the host network namespace.
PrivateNetwork=yes

PrivateTmp=yes
PrivateDevices=true
PrivateUsers=true
ProtectSystem=strict
ProtectHome=yes
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectHostname=true
RemoveIPC=true
RestrictNamespaces=true
RestrictAddressFamilies=none
RestrictSUIDSGID=true
RestrictRealtime=true
# if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host
SystemCallArchitectures=native
SystemCallFilter=@system-service

# Additionally, you may wish to use some of the systemd options documented in
# systemd.resource-control(5) to limit the CPU, memory, file-system I/O and
# network I/O that the rest-server is permitted to consume according to the
# individual requirements of your installation.
#CPUQuota=25%
#MemoryHigh=bytes
#MemoryMax=bytes
#MemorySwapMax=bytes
#TasksMax=N
#IOReadBandwidthMax=device bytes
#IOWriteBandwidthMax=device bytes
#IOReadIOPSMax=device IOPS, IOWriteIOPSMax=device IOPS
#IPAccounting=true
#IPAddressAllow=

[Install]
WantedBy=multi-user.target
Example systemd service file 2016-11-07 00:54:32 +01:00			`[Unit]`
Restic server shall be called Rest server from now on The repo moved from github.com/zcalusic/restic-server to the new home github.com/restic/rest-server 2016-12-28 21:52:19 +01:00			`Description=Rest Server`
Example systemd service file 2016-11-07 00:54:32 +01:00			`After=syslog.target`
			`After=network.target`
Improve security of rest-server.service by restricting network access This patch improves the overall security assessment score given by `systemd-analyze security rest-server.service` from "1.3 OK" to "0.6 SAFE" (when using systemd-analyze version 253) * Remove `AF_INET AF_INET6` from RestrictAddressFamilies. Sockets originating from socket activation are not affected by the systemd directive RestrictAddressFamilies. See systemd.exec man page. * Add `PrivateNetwork=yes` as recommended for socket-activated services in the systemd.socket man page * Add dependency on rest-server.socket Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com> 2023-07-13 18:28:33 +02:00			`Requires=rest-server.socket`
			`After=rest-server.socket`
Support running on demand systemd socket activation 2021-08-09 16:06:35 +02:00
Example systemd service file 2016-11-07 00:54:32 +01:00			`[Service]`
			`Type=simple`
Improve commenting of systemd unit file based on review. 2021-05-31 11:39:29 +01:00			`# You may prefer to use a different user or group on your system.`
Example systemd service file 2016-11-07 00:54:32 +01:00			`User=www-data`
			`Group=www-data`
Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00			`ExecStart=/usr/local/bin/rest-server --path /path/to/backups`
Example systemd service file 2016-11-07 00:54:32 +01:00			`Restart=always`
			`RestartSec=5`
Improve commenting of systemd unit file based on review. 2021-05-31 11:39:29 +01:00
			`# The following options are available (in systemd v247) to restrict the`
			`# actions of the rest-server.`

			`# As a whole, the purpose of these are to provide an additional layer of`
			`# security by mitigating any unknown security vulnerabilities which may exist`
			`# in rest-server or in the libraries, tools and operating system components`
			`# which it relies upon.`

			`# IMPORTANT!`
			`# The following line must be customised to your individual requirements.`
			`ReadWritePaths=/path/to/backups`

document how to use group-accessible repos with systemd 2025-02-17 22:40:32 +01:00			# Set to `UMask=007` and pass `--group-accessible-repos` to rest-server to
			`# make created files group-readable`
			`UMask=077`
Example systemd service file 2016-11-07 00:54:32 +01:00
Improve commenting of systemd unit file based on review. 2021-05-31 11:39:29 +01:00			`# If your system doesn't support all of the features below (e.g. because of`
			`# the use of an older version of systemd), you may wish to comment-out`
			`# some of the lines below as appropriate.`
Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`CapabilityBoundingSet=`
			`LockPersonality=true`
			`MemoryDenyWriteExecute=true`
Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00			`NoNewPrivileges=yes`
Improve security of rest-server.service by restricting network access This patch improves the overall security assessment score given by `systemd-analyze security rest-server.service` from "1.3 OK" to "0.6 SAFE" (when using systemd-analyze version 253) * Remove `AF_INET AF_INET6` from RestrictAddressFamilies. Sockets originating from socket activation are not affected by the systemd directive RestrictAddressFamilies. See systemd.exec man page. * Add `PrivateNetwork=yes` as recommended for socket-activated services in the systemd.socket man page * Add dependency on rest-server.socket Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com> 2023-07-13 18:28:33 +02:00
			`# As the listen socket is created by systemd via the rest-server.socket unit, it is`
			`# no longer necessary for rest-server to have access to the host network namespace.`
			`PrivateNetwork=yes`

Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00			`PrivateTmp=yes`
Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`PrivateDevices=true`
			`PrivateUsers=true`
Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00			`ProtectSystem=strict`
			`ProtectHome=yes`
Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`ProtectClock=true`
			`ProtectControlGroups=true`
			`ProtectKernelLogs=true`
			`ProtectKernelModules=true`
			`ProtectKernelTunables=true`
			`ProtectProc=invisible`
			`ProtectHostname=true`
			`RemoveIPC=true`
			`RestrictNamespaces=true`
Improve security of rest-server.service by restricting network access This patch improves the overall security assessment score given by `systemd-analyze security rest-server.service` from "1.3 OK" to "0.6 SAFE" (when using systemd-analyze version 253) * Remove `AF_INET AF_INET6` from RestrictAddressFamilies. Sockets originating from socket activation are not affected by the systemd directive RestrictAddressFamilies. See systemd.exec man page. * Add `PrivateNetwork=yes` as recommended for socket-activated services in the systemd.socket man page * Add dependency on rest-server.socket Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com> 2023-07-13 18:28:33 +02:00			`RestrictAddressFamilies=none`
Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`RestrictSUIDSGID=true`
			`RestrictRealtime=true`
warn about SystemCallArchitectures Running 32bit on a 64bit host with SystemCallArchitectures will fail without much information 2023-02-01 00:10:46 +01:00			`# if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host`
Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`SystemCallArchitectures=native`
			`SystemCallFilter=@system-service`
Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00
Document and sign-post additional systemd resource control options. The systemd administrator may wish to use additional resource control facilities which systemd provides. Document the existence of these, and provide some example options in commented form. 2021-05-31 11:40:11 +01:00			`# Additionally, you may wish to use some of the systemd options documented in`
			`# systemd.resource-control(5) to limit the CPU, memory, file-system I/O and`
			`# network I/O that the rest-server is permitted to consume according to the`
			`# individual requirements of your installation.`
			`#CPUQuota=25%`
add MemoryHigh to systemd example 2023-01-21 21:43:56 -05:00			`#MemoryHigh=bytes`
Document and sign-post additional systemd resource control options. The systemd administrator may wish to use additional resource control facilities which systemd provides. Document the existence of these, and provide some example options in commented form. 2021-05-31 11:40:11 +01:00			`#MemoryMax=bytes`
			`#MemorySwapMax=bytes`
			`#TasksMax=N`
			`#IOReadBandwidthMax=device bytes`
			`#IOWriteBandwidthMax=device bytes`
			`#IOReadIOPSMax=device IOPS, IOWriteIOPSMax=device IOPS`
			`#IPAccounting=true`
			`#IPAddressAllow=`

Example systemd service file 2016-11-07 00:54:32 +01:00			`[Install]`
			`WantedBy=multi-user.target`