updated config

2023-07-08 20:31:47 +02:00 · 2023-07-08 20:31:47 +02:00 · 07f51712c3
parent d42d70d7a7
commit 07f51712c3
2 changed files with 41 additions and 8 deletions
--- a/templates/keycloak.service.j2
+++ b/templates/keycloak.service.j2
@ -1,12 +1,16 @@
 [Unit]
-Description=Keycloak
-After=network.target
+Description=Keycloak server
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service

 [Service]
-Type=idle
 User=keycloak
 Group=keycloak
-ExecStart=/opt/keycloak/current/bin/kc.sh start
+ExecStart=/opt/keycloak/current/bin/kc.sh start --auto-build
+WorkingDirectory=/opt/keycloak/current
+ReadWritePaths=/opt/keycloak/current/conf /opt/keycloak/current/data /opt/keycloak/current/lib/quarkus
+SuccessExitStatus=0 143
+
 TimeoutStartSec=600
 TimeoutStopSec=600
 Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
@ -18,5 +22,18 @@ Environment="KC_DB_URL_DATABASE={{ keycloak_postgresql_database }}"
 Environment="KC_DB_URL_HOST=localhost"
 Environment="KC_PROXY=edge"

+# Hardening options
+CapabilityBoundingSet=
+AmbientCapabilities=
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+PrivateTmp=true
+PrivateDevices=true
+LockPersonality=true
+
 [Install]
 WantedBy=multi-user.target
--- a/templates/keycloak.service_init.j2
+++ b/templates/keycloak.service_init.j2
@ -1,12 +1,15 @@
 [Unit]
-Description=Keycloak
-After=network.target
+Description=Keycloak server
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service

 [Service]
-Type=idle
 User=keycloak
 Group=keycloak
-ExecStart=/opt/keycloak/current/bin/kc.sh start
+ExecStart=/opt/keycloak/current/bin/kc.sh start --auto-build
+WorkingDirectory=/opt/keycloak/current
+ReadWritePaths=/opt/keycloak/current/conf /opt/keycloak/current/data /opt/keycloak/current/lib/quarkus
+SuccessExitStatus=0 143
 TimeoutStartSec=600
 TimeoutStopSec=600
 Environment="KC_HTTP_HOST={{ keycloak_http_host}}"
@ -20,5 +23,18 @@ Environment="KC_PROXY=edge"
 Environment="KEYCLOAK_ADMIN={{ keycloak_initial_admin_name }}"
 Environment="KEYCLOAK_ADMIN_PASSWORD={{ keycloak_initial_admin_password }}"

+# Hardening options
+CapabilityBoundingSet=
+AmbientCapabilities=
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+PrivateTmp=true
+PrivateDevices=true
+LockPersonality=true
+
 [Install]
 WantedBy=multi-user.target