From a6d1ae443e4e613008b2b349bdbb49591cbc1626 Mon Sep 17 00:00:00 2001
From: nico <nico@magicbroccoli.de>
Date: Wed, 10 Jun 2020 12:00:12 +0200
Subject: systemd service hardening

+ add systemd protective features to restrict the system access
+ add service documentation link
+ add service required / after fields
---
 contrib/init/linux-systemd/ejabberd-influxdb.service | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'contrib/init/linux-systemd/ejabberd-influxdb.service')

diff --git a/contrib/init/linux-systemd/ejabberd-influxdb.service b/contrib/init/linux-systemd/ejabberd-influxdb.service
index 364b574..6b711b6 100644
--- a/contrib/init/linux-systemd/ejabberd-influxdb.service
+++ b/contrib/init/linux-systemd/ejabberd-influxdb.service
@@ -1,5 +1,8 @@
 [Unit]
 Description=ejabberd influxdb exporter
+Documentation=https://dev.sum7.eu/sum7/ejabberd-tools/-/blob/master/README.md
+After=influxdb.service
+Requires=ejabberd.service influxdb.service
 
 [Service]
 Type=simple
@@ -8,6 +11,13 @@ Group=nogroup
 Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin"
 ExecStart=/opt/ejabberd-tools/influx.py
 WorkingDirectory=/opt/ejabberd-tools/
+PrivateDevices=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectKernelModules=yes
+ProtectSystem=full
+NoNewPrivileges=yes
 Restart=always
 RestartSec=5s
 
-- 
cgit v1.2.3-54-g00ecf