rest-server/examples/systemd/rest-server.service

[Unit]
Description=Rest Server
After=syslog.target
After=network.target

[Service]
Type=simple
# You may prefer to use a different user or group on your system.
User=www-data
Group=www-data
ExecStart=/usr/local/bin/rest-server --path /path/to/backups
Restart=always
RestartSec=5

# The following options are available (in systemd v247) to restrict the
# actions of the rest-server.

# As a whole, the purpose of these are to provide an additional layer of
# security by mitigating any unknown security vulnerabilities which may exist
# in rest-server or in the libraries, tools and operating system components
# which it relies upon.

# IMPORTANT!
# The following line must be customised to your individual requirements.
ReadWritePaths=/path/to/backups

# Makes created files group-readable, but inaccessible by others
UMask=027

# If your system doesn't support all of the features below (e.g. because of
# the use of an older version of systemd), you may wish to comment-out
# some of the lines below as appropriate.
CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=true
PrivateUsers=true
ProtectSystem=strict
ProtectHome=yes
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectHostname=true
RemoveIPC=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictSUIDSGID=true
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=@system-service

# Additionally, you may wish to use some of the systemd options documented in
# systemd.resource-control(5) to limit the CPU, memory, file-system I/O and
# network I/O that the rest-server is permitted to consume according to the
# individual requirements of your installation.
#CPUQuota=25%
#MemoryMax=bytes
#MemorySwapMax=bytes
#TasksMax=N
#IOReadBandwidthMax=device bytes
#IOWriteBandwidthMax=device bytes
#IOReadIOPSMax=device IOPS, IOWriteIOPSMax=device IOPS
#IPAccounting=true
#IPAddressAllow=

[Install]
WantedBy=multi-user.target
Example systemd service file 2016-11-07 00:54:32 +01:00			`[Unit]`
Restic server shall be called Rest server from now on The repo moved from github.com/zcalusic/restic-server to the new home github.com/restic/rest-server 2016-12-28 21:52:19 +01:00			`Description=Rest Server`
Example systemd service file 2016-11-07 00:54:32 +01:00			`After=syslog.target`
			`After=network.target`

			`[Service]`
			`Type=simple`
Improve commenting of systemd unit file based on review. 2021-05-31 11:39:29 +01:00			`# You may prefer to use a different user or group on your system.`
Example systemd service file 2016-11-07 00:54:32 +01:00			`User=www-data`
			`Group=www-data`
Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00			`ExecStart=/usr/local/bin/rest-server --path /path/to/backups`
Example systemd service file 2016-11-07 00:54:32 +01:00			`Restart=always`
			`RestartSec=5`
Improve commenting of systemd unit file based on review. 2021-05-31 11:39:29 +01:00
			`# The following options are available (in systemd v247) to restrict the`
			`# actions of the rest-server.`

			`# As a whole, the purpose of these are to provide an additional layer of`
			`# security by mitigating any unknown security vulnerabilities which may exist`
			`# in rest-server or in the libraries, tools and operating system components`
			`# which it relies upon.`

			`# IMPORTANT!`
			`# The following line must be customised to your individual requirements.`
			`ReadWritePaths=/path/to/backups`

Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`# Makes created files group-readable, but inaccessible by others`
			`UMask=027`
Example systemd service file 2016-11-07 00:54:32 +01:00
Improve commenting of systemd unit file based on review. 2021-05-31 11:39:29 +01:00			`# If your system doesn't support all of the features below (e.g. because of`
			`# the use of an older version of systemd), you may wish to comment-out`
			`# some of the lines below as appropriate.`
Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`CapabilityBoundingSet=`
			`LockPersonality=true`
			`MemoryDenyWriteExecute=true`
Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00			`NoNewPrivileges=yes`
			`PrivateTmp=yes`
Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`PrivateDevices=true`
			`PrivateUsers=true`
Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00			`ProtectSystem=strict`
			`ProtectHome=yes`
Improve security of example systemd unit file The supplied systemd unit file places some basic security restrictions on the rest service. This patch enhances those, and improves the overall security assessment score given by `systemd-analyze security` from "8.3 EXPOSED" to "1.3 OK". Closes #148 2021-04-02 19:45:37 +01:00			`ProtectClock=true`
			`ProtectControlGroups=true`
			`ProtectKernelLogs=true`
			`ProtectKernelModules=true`
			`ProtectKernelTunables=true`
			`ProtectProc=invisible`
			`ProtectHostname=true`
			`RemoveIPC=true`
			`RestrictNamespaces=true`
			`RestrictAddressFamilies=AF_INET AF_INET6`
			`RestrictSUIDSGID=true`
			`RestrictRealtime=true`
			`SystemCallArchitectures=native`
			`SystemCallFilter=@system-service`
Make example systemd service more restrictive In addition to any existing filesystem restrictions on the (www-data) backup user these config options uses namespaces and other kernel features to further restrict what the _rest-server_ is allowed to do. * `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures that the _rest-server_ is only allowed to write to its data directory. * `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_ gets (read) access to. * `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid binaries, etc to escalate its privileges. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for further details While at I also replaced the _/tmp/restic_ path with a more explicit placeholder path. Given that one rarely wants to backup to _/tmp_ I figured it better to force a choice of path rather than to have someone accidentally end up using _/tmp/restic_ for their backups. 2020-09-13 14:04:21 +02:00
Document and sign-post additional systemd resource control options. The systemd administrator may wish to use additional resource control facilities which systemd provides. Document the existence of these, and provide some example options in commented form. 2021-05-31 11:40:11 +01:00			`# Additionally, you may wish to use some of the systemd options documented in`
			`# systemd.resource-control(5) to limit the CPU, memory, file-system I/O and`
			`# network I/O that the rest-server is permitted to consume according to the`
			`# individual requirements of your installation.`
			`#CPUQuota=25%`
			`#MemoryMax=bytes`
			`#MemorySwapMax=bytes`
			`#TasksMax=N`
			`#IOReadBandwidthMax=device bytes`
			`#IOWriteBandwidthMax=device bytes`
			`#IOReadIOPSMax=device IOPS, IOWriteIOPSMax=device IOPS`
			`#IPAccounting=true`
			`#IPAddressAllow=`

Example systemd service file 2016-11-07 00:54:32 +01:00			`[Install]`
			`WantedBy=multi-user.target`