ArcticFoxes-net/Synapse-Ubuntu-ZFS
1
0
Fork 0
mirror of https://github.com/ArcticFoxes-net/Synapse-Ubuntu-ZFS synced 2024-11-17 16:11:33 -05:00
Code

Certbot hardening

Browse Source
This commit is contained in:
Tommy 2023-09-08 15:04:33 -07:00 committed by GitHub
parent 15c9757027
commit d1aee7b41c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -5,10 +5,11 @@ This configuration does not include some hardening configurations, as those are
**Notes**:
- snap ufw blocks Docker by default. ArcticFoxes's Matrix server uses .deb ufw instead.
- Use the .deb certbot package so that you can apply systemd hardening.
- A lot of these configuration files use ArcticFoxes's domain. If you are adopting this to your own system, make sure that you replace them.
- The Certbot-OCSP-Fetcher script can be found [here](https://github.com/GrapheneOS/infrastructure/blob/main/certbot-ocsp-fetcher)
- You need to create a `postgres-socket` and add the `postgres` and `matrix-synapse` user to it.
- You need to create a `matrix-synapse-socket` and add the `matrix-synapse` and `nginx` user to it.
- Systemd overrides for NGINX and SSHD services are based on [GrapheneOS's configurations](https://github.com/GrapheneOS/infrastructure/tree/main/systemd/system).
- Systemd override for Synapse is based on Arch Linux's [matrix-synapse](https://gitlab.archlinux.org/archlinux/packaging/packages/matrix-synapse/-/blob/main/override-hardened.conf?ref_type=heads) package.
- The repolists of PostgreSQL and Docker have been modified so that they read GPG keys from `/usr/share/keyring` by default. Make sure that when you follow upstream's documentation on adding their GPG keys, you adjust the location. For PostgreSQL's GPG key, run `curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgresql-debian-repo.gpg >/dev/null`
- The repolists of PostgreSQL and Docker have been modified so that they read GPG keys from `/usr/share/keyring` by default. Make sure that when you follow upstream's documentation on adding their GPG keys, you adjust the location. For PostgreSQL's GPG key, run `curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /usr/share/keyrings/postgresql-debian-repo.gpg >/dev/null`

26
etc/systemd/system/certbot.service.d/override.conf Normal file
View File

@ -0,0 +1,26 @@
[Service]
CapabilityBoundingSet=
CPUSchedulingPolicy=batch
LockPersonality=true
MemoryDenyWriteExecute=true
PrivateDevices=true
PrivateIPC=true
PrivateUsers=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=read-only
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt /var/cache/certbot-ocsp-fetcher
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@resources @obsolete