refactor: reorganize docs and aux files

2025-07-04 05:15:33 +00:00 · 2024-09-10 03:59:31 -04:00 · 2024-09-10 03:59:31 -04:00 · 7160e5adbd
commit 7160e5adbd
parent 0ac841e6fa
9 changed files with 4 additions and 4 deletions
--- a/contrib/blahd.example.service
+++ b/contrib/blahd.example.service
@ -0,0 +1,46 @@
+[Unit]
+Description=Blah Chat Server
+After=network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/blahd serve --config ${CONFIGURATION_DIRECTORY}/blahd.toml
+ConfigurationDirectory=blahd
+StateDirectory=blahd
+Restart=always
+RestartSec=10s
+
+# Permission and capabilities
+
+DynamicUser=yes
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+# 0640 / 0750
+UMask=0027
+
+# Sandboxing
+# Mostly copied from: https://github.com/NixOS/nixpkgs/blob/6414ef7ca3bf18ec4f9628d09ccc1eb030276ee2/nixos/modules/services/web-servers/nginx/default.nix#L1246
+
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateUsers=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectProc=invisible
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged