add hardening measures to systemd services

2025-09-19 20:24:39 +02:00 · 2021-05-23 16:46:29 +01:00
parent ca82d221de
commit ab279c7d10
4 changed files with 24 additions and 0 deletions
--- a/home.admin/config.scripts/bonus.clnrest.sh
+++ b/home.admin/config.scripts/bonus.clnrest.sh
@@ -79,6 +79,12 @@ Restart=always
 TimeoutSec=120
 RestartSec=30

+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee /etc/systemd/system/clnrest.service
--- a/home.admin/config.scripts/cln.install.sh
+++ b/home.admin/config.scripts/cln.install.sh
@@ -185,6 +185,12 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal

+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee /etc/systemd/system/${prefix}lightningd.service
--- a/home.admin/config.scripts/lnd.chain.sh
+++ b/home.admin/config.scripts/lnd.chain.sh
@@ -149,6 +149,12 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal

+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee /etc/systemd/system/${prefix}lnd.service
--- a/home.admin/config.scripts/network.bitcoinchains.sh
+++ b/home.admin/config.scripts/network.bitcoinchains.sh
@@ -132,6 +132,12 @@ RestartSec=30
 StandardOutput=null
 StandardError=journal

+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee /etc/systemd/system/${prefix}bitcoind.service