2022-12-30 17:37:44 +00:00
|
|
|
[Unit]
|
|
|
|
|
Description=collabore tunnel Make your local services accessible to all on the public Internet
|
|
|
|
|
After=network.target nginx.service
|
|
|
|
|
|
|
|
|
|
[Service]
|
2023-05-24 12:39:38 +00:00
|
|
|
Type=exec
|
|
|
|
|
|
|
|
|
|
# environment variables
|
|
|
|
|
Environment=HOME=/opt/collabore-tunnel/
|
|
|
|
|
Environment=UNIX_SOCKETS_DIRECTORY=/opt/collabore-tunnel/sockets
|
2022-12-30 17:37:44 +00:00
|
|
|
Environment=SERVER_HOSTNAME=tnl.clb.re
|
|
|
|
|
Environment=CONFIG_DIRECTORY=.
|
2023-05-13 15:03:49 +00:00
|
|
|
Environment=WELCOME_BANNER_FILE=./welcome_banner.txt
|
|
|
|
|
Environment=RATE_LIMIT_COUNT=5
|
|
|
|
|
Environment=RATE_LIMIT_INTERVAL=60
|
|
|
|
|
Environment=MAX_CONNECTIONS_PER_IP=5
|
2022-12-30 17:37:44 +00:00
|
|
|
Environment=SSH_SERVER_HOST=0.0.0.0
|
|
|
|
|
Environment=SSH_SERVER_PORT=22
|
|
|
|
|
Environment=LOG_DEPTH=2
|
2023-05-24 12:39:38 +00:00
|
|
|
|
|
|
|
|
# working directory and exec
|
2022-12-30 17:37:44 +00:00
|
|
|
WorkingDirectory=/opt/collabore-tunnel
|
2023-05-24 12:39:38 +00:00
|
|
|
ExecStart=/opt/collabore-tunnel/.env/bin/python3 main.py
|
|
|
|
|
ExecStop=/usr/bin/kill -9 $MAINPID
|
|
|
|
|
|
|
|
|
|
# filesystem
|
|
|
|
|
TemporaryFileSystem=/:ro
|
|
|
|
|
BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /opt/collabore-tunnel/
|
|
|
|
|
BindReadOnlyPaths=/usr/bin/python3 /usr/bin/kill
|
|
|
|
|
BindPaths=/opt/collabore-tunnel/sockets/
|
|
|
|
|
BindPaths=/opt/collabore-tunnel/id_rsa_host
|
|
|
|
|
PrivateTmp=true
|
2022-12-30 17:37:44 +00:00
|
|
|
PrivateDevices=true
|
2023-05-24 12:39:38 +00:00
|
|
|
ProtectControlGroups=true
|
2022-12-30 17:37:44 +00:00
|
|
|
ProtectKernelModules=true
|
2023-05-24 12:39:38 +00:00
|
|
|
ProtectKernelTunables=true
|
|
|
|
|
ReadWritePaths=
|
|
|
|
|
|
|
|
|
|
# network
|
|
|
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
|
|
|
|
|
|
|
|
# misc
|
2022-12-30 17:37:44 +00:00
|
|
|
SystemCallArchitectures=native
|
|
|
|
|
SystemCallFilter=
|
2023-05-24 12:39:38 +00:00
|
|
|
NoNewPrivileges=true
|
|
|
|
|
RestrictRealtime=true
|
|
|
|
|
MemoryDenyWriteExecute=true
|
|
|
|
|
ProtectKernelLogs=true
|
|
|
|
|
LockPersonality=true
|
|
|
|
|
ProtectHostname=true
|
|
|
|
|
RemoveIPC=true
|
|
|
|
|
RestrictSUIDSGID=true
|
|
|
|
|
ProtectClock=true
|
|
|
|
|
ProtectProc=invisible
|
|
|
|
|
|
|
|
|
|
# capabilities
|
|
|
|
|
RestrictNamespaces=uts ipc pid cgroup
|
|
|
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
|
|
|
AmbientCapabilities=
|
2022-12-30 17:37:44 +00:00
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
|
WantedBy=multi-user.target
|
