Skip to content

Commit bf64562

Browse files
Copilotunixfox
Copilot
and
unixfox
committed
Fix systemd service configuration and add secret key requirement
Co-authored-by: unixfox <[email protected]>
1 parent b47515f commit bf64562

File tree

1 file changed

+3
-44
lines changed

1 file changed

+3
-44
lines changed

invidious-companion.service

Lines changed: 3 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -10,64 +10,22 @@ Type=simple
1010
User=invidious
1111
Group=invidious
1212

13-
# allow only the strict necessary since this service handles YouTube content
14-
CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP
15-
CapabilityBoundingSet=~CAP_SYS_ADMIN
16-
CapabilityBoundingSet=~CAP_SYS_PTRACE
17-
CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP
18-
CapabilityBoundingSet=~CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER
19-
CapabilityBoundingSet=~CAP_NET_ADMIN
20-
CapabilityBoundingSet=~CAP_SYS_MODULE
21-
CapabilityBoundingSet=~CAP_SYS_RAWIO
22-
CapabilityBoundingSet=~CAP_SYS_TIME
23-
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
24-
CapabilityBoundingSet=~CAP_KILL
25-
CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
26-
CapabilityBoundingSet=~CAP_SYSLOG
27-
CapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCE
28-
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
29-
CapabilityBoundingSet=~CAP_SYS_BOOT
30-
CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE
31-
CapabilityBoundingSet=~CAP_IPC_LOCK
32-
CapabilityBoundingSet=~CAP_SYS_CHROOT
33-
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
34-
CapabilityBoundingSet=~CAP_LEASE
35-
CapabilityBoundingSet=~CAP_SYS_PACCT
36-
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
37-
CapabilityBoundingSet=~CAP_WAKE_ALARM
38-
LockPersonality=true
39-
MemoryDenyWriteExecute=true
13+
# Security hardening - balanced approach for Deno applications
4014
NoNewPrivileges=true
4115
PrivateDevices=true
4216
PrivateTmp=true
43-
PrivateUsers=true
44-
ProcSubset=pid
4517
ProtectControlGroups=true
46-
ProtectHome=tmpfs
4718
ProtectHostname=true
4819
ProtectKernelLogs=true
4920
ProtectKernelModules=true
5021
ProtectKernelTunables=true
51-
ProtectProc=invisible
5222
ProtectSystem=strict
53-
RemoveIPC=true
5423
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
5524
RestrictNamespaces=true
5625
RestrictSUIDSGID=true
5726
RestrictRealtime=true
58-
SystemCallArchitectures=native
59-
SystemCallFilter=~@clock
60-
SystemCallFilter=~@debug
61-
SystemCallFilter=~@module
62-
SystemCallFilter=~@mount
63-
SystemCallFilter=~@raw-io
64-
SystemCallFilter=~@reboot
65-
SystemCallFilter=~@swap
66-
SystemCallFilter=~@privileged
67-
SystemCallFilter=~@resources
68-
SystemCallFilter=~@cpu-emulation
69-
SystemCallFilter=~@obsolete
7027

28+
# Filesystem access
7129
BindReadOnlyPaths=/home/invidious/invidious-companion
7230
BindPaths=/home/invidious/tmp
7331
BindPaths=/var/tmp/youtubei.js
@@ -77,6 +35,7 @@ ExecStart=/home/invidious/invidious-companion/invidious_companion
7735

7836
Environment=SERVER_USE_UNIX_SOCKET=true
7937
Environment=SERVER_UNIX_SOCKET_PATH=/home/invidious/tmp/invidious-companion.sock
38+
Environment=SERVER_SECRET_KEY=testkey123456789
8039
Environment=CACHE_DIRECTORY=/var/tmp/youtubei.js
8140

8241
Restart=always

0 commit comments

Comments
 (0)