AimeeOS
/
aimee-os
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
aimee-os/yellow/overlay/etc/systemd/system/gen-nginx-cert.service

41 lines
850 B
INI
Raw Blame History

# vim: set ft=systemd :
[Unit]
Description=Generate self-signed certificate for nginx
Before=nginx.service
ConditionPathExists=!/etc/nginx/ssl/server.crt
[Service]
Type=oneshot
ExecStart=/usr/libexec/gen-nginx-cert
User=root
Group=nginx
CapabilityBoundingSet=
DeviceAllow=
DevicePolicy=closed
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
PrivateUsers=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=yes
RestrictAddressFamilies=
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
UMask=0027
Reference in New Issue View Git Blame Copy Permalink