.gitignore

@@ -162,5 +162,4 @@ cython_debug/
 
 # Others
 id_rsa_host
-sockets/
 *.sock

README.md

@@ -73,17 +73,7 @@ We have deployed collabore tunnel on a server running Ubuntu Server 22.04.
 ### Install required packages
 
 ```
-apt install python3-pip python3-venv nginx
-```
-
-### Create `collabore-tunnel` user
-
-```
-groupadd collabore-tunnel
-```
-
-```
-useradd -r -s /sbin/nologin -g collabore-tunnel collabore-tunnel
+apt install python3-pip nginx
 ```
 
 ### Retrieve sources
@@ -92,28 +82,18 @@ useradd -r -s /sbin/nologin -g collabore-tunnel collabore-tunnel
 mkdir /opt/collabore-tunnel
 ```
 
-```
-chown collabore-tunnel:collabore-tunnel /opt/collabore-tunnel
-```
-
 ```
 cd /opt/collabore-tunnel
 ```
 
 ```
-runuser -u collabore-tunnel -- git clone https://github.com/ClubElecINSSET/collabore-tunnel .
-```
-
-### Create Python virtual environment
-
-```
-runuser -u collabore-tunnel -- virtualenv .env
+git clone https://github.com/ClubElecINSSET/collabore-tunnel .
 ```
 
 ### Install Python dependencies
 
 ```
-runuser -u collabore-tunnel -- .env/bin/pip install -r requirements.txt
+pip install -r requirements.txt
 ```
 
 ### Install NGINX virtualhosts

collabore-tunnel.service

@@ -3,61 +3,43 @@ Description=collabore tunnel  Make your local services accessible to all on the
 After=network.target nginx.service
 
 [Service]
-Type=exec
-
-# environment variables
-Environment=HOME=/opt/collabore-tunnel/
-Environment=UNIX_SOCKETS_DIRECTORY=/opt/collabore-tunnel/sockets
+Environment=UNIX_SOCKETS_DIRECTORY=/tmp/collabore-tunnel
 Environment=SERVER_HOSTNAME=tnl.clb.re
 Environment=CONFIG_DIRECTORY=.
 Environment=WELCOME_BANNER_FILE=./welcome_banner.txt
 Environment=RATE_LIMIT_COUNT=5
 Environment=RATE_LIMIT_INTERVAL=60
 Environment=MAX_CONNECTIONS_PER_IP=5
+Environment=TIMEOUT=120
 Environment=SSH_SERVER_HOST=0.0.0.0
 Environment=SSH_SERVER_PORT=22
 Environment=LOG_DEPTH=2
-
-# working directory and exec
 WorkingDirectory=/opt/collabore-tunnel
-ExecStart=/opt/collabore-tunnel/.env/bin/python3 main.py
-ExecStop=/usr/bin/kill -9 $MAINPID
-
-# filesystem
-TemporaryFileSystem=/:ro
-BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /opt/collabore-tunnel/
-BindReadOnlyPaths=/usr/bin/python3 /usr/bin/kill
-BindPaths=/opt/collabore-tunnel/sockets/
-BindPaths=/opt/collabore-tunnel/id_rsa_host
-PrivateTmp=true
-PrivateDevices=true
-ProtectControlGroups=true
-ProtectKernelModules=true
+ExecStart=/usr/bin/python3 main.py
+ExecStop=/bin/kill -9 $MAINPID
+ProtectSystem=strict
+ReadWritePaths=/opt/collabore-tunnel /tmp
+ReadOnlyPaths=/usr/bin
+InaccessiblePaths=...
+ProtectHome=true
+ProtectProc=invisible
 ProtectKernelTunables=true
-ReadWritePaths=
-
-# network
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-
-# misc
+ProtectControlGroups=true
+NoNewPrivileges=true
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+RestrictNamespaces=uts ipc pid cgroup
+RestrictSUIDSGID=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictRealtime=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+IPAddressAllow=192.168.1.0/24
+PrivateDevices=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectClock=true
 SystemCallArchitectures=native
 SystemCallFilter=
-NoNewPrivileges=true
-PrivateUsers=true
-RestrictRealtime=true
-MemoryDenyWriteExecute=true
-ProtectKernelLogs=true
-LockPersonality=true
-ProtectHostname=true
-RemoveIPC=true
-RestrictSUIDSGID=true
-ProtectClock=true
-ProtectProc=invisible
-
-# capabilities
-RestrictNamespaces=uts ipc pid cgroup
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=
 
 [Install]
 WantedBy=multi-user.target