DigitalInfinity/ansible-role-step-ca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

easier service-file, no error on rpi

Browse Source
This commit is contained in:
Alexander Gabriel 2021-06-06 19:28:32 +01:00
parent f25d2c2010
commit 9b69ce37eb
1 changed files with 0 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
templates/step-ca.service.j2
View File

@ -23,26 +23,5 @@ TimeoutStopSec=30
StartLimitInterval=30 StartLimitInterval=30
StartLimitBurst=3 StartLimitBurst=3
; Process capabilities & privileges
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
NoNewPrivileges=yes
; Sandboxing
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
PrivateTmp=true
PrivateDevices=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelModules=true
LockPersonality=true
RemoveIPC=true
RestrictRealtime=true
SystemCallFilter=@system-service
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
ReadWriteDirectories=/etc/step-ca/.step/db
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target