paradizelost/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-05-01 11:19:32 -05:00
Code Issues Packages Projects Releases Wiki Activity

Harden systemd service files, drop perms further

Browse Source
This commit is contained in:
Fabian Koller 2020-12-29 23:30:59 +01:00
parent bb569b4e78
commit 14f87f5aee
No known key found for this signature in database
GPG Key ID: 4EFE4C946404B82A
1 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
ansible/tasks/main.yml
View File

@ -310,7 +310,7 @@
- name: configure systemd services - name: configure systemd services
ini_file: ini_file:
path: "{{ paperlessng_directory }}/scripts/{{ item[0] }}" path: "{{ paperlessng_directory }}/scripts/{{ item[0] }}"
section: "{{ item[1].section }}" section: "Service"
option: "{{ item[1].option }}" option: "{{ item[1].option }}"
value: "{{ item[1].value }}" value: "{{ item[1].value }}"
with_nested: with_nested:
@ -320,21 +320,35 @@
paperless-webserver.service, paperless-webserver.service,
] ]
- [ - [
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
{ {
section: "Service",
option: "User", option: "User",
value: "{{ paperlessng_system_user }}", value: "{{ paperlessng_system_user }}",
}, },
{ {
section: "Service",
option: "Group", option: "Group",
value: "{{ paperlessng_system_group }}", value: "{{ paperlessng_system_group }}",
}, },
{ {
section: "Service",
option: "WorkingDirectory", option: "WorkingDirectory",
value: "{{ paperlessng_directory }}/src", value: "{{ paperlessng_directory }}/src",
}, },
{
option: "ProtectSystem",
value: "full",
},
{
option: "NoNewPrivileges",
value: "true",
},
{
option: "PrivateUsers",
value: "true",
},
{
option: "PrivateDevices",
value: "true",
}
] ]
- name: configure paperless-consumer service - name: configure paperless-consumer service