paradizelost/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-04-02 13:45:10 -05:00
Code Issues Packages Projects Releases Wiki Activity

Harden systemd service files, drop perms further

Browse Source
This commit is contained in:
Fabian Koller 2020-12-29 23:30:59 +01:00
parent bb569b4e78
commit 14f87f5aee
No known key found for this signature in database
GPG Key ID: 4EFE4C946404B82A
1 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
ansible/tasks/main.yml
View File

@ -310,7 +310,7 @@
- name: configure systemd services
ini_file:
path: "{{ paperlessng_directory }}/scripts/{{ item[0] }}"
section: "{{ item[1].section }}"
section: "Service"
option: "{{ item[1].option }}"
value: "{{ item[1].value }}"
with_nested:
@ -320,21 +320,35 @@
paperless-webserver.service,
]
- [
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
{
section: "Service",
option: "User",
value: "{{ paperlessng_system_user }}",
},
{
section: "Service",
option: "Group",
value: "{{ paperlessng_system_group }}",
},
{
section: "Service",
option: "WorkingDirectory",
value: "{{ paperlessng_directory }}/src",
},
{
option: "ProtectSystem",
value: "full",
},
{
option: "NoNewPrivileges",
value: "true",
},
{
option: "PrivateUsers",
value: "true",
},
{
option: "PrivateDevices",
value: "true",
}
]
- name: configure paperless-consumer service