Harden deploy artifacts for production
Dedicated mnw-cli system user, systemd security hardening (NoNewPrivileges,
ProtectSystem=strict, resource limits), correct directory ownership.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2 files changed,
+31 insertions,
-10 deletions
| 36 |
36 |
|
|
| 37 |
37 |
|
# Ensure directories exist
|
| 38 |
38 |
|
ssh $SERVER "mkdir -p $REMOTE_DIR $STAGING_DIR"
|
| 39 |
|
- |
ssh $SERVER "chown makenotwork:makenotwork $STAGING_DIR"
|
|
39 |
+ |
ssh $SERVER "chown mnw-cli:mnw-cli $STAGING_DIR"
|
| 40 |
40 |
|
|
| 41 |
41 |
|
echo "[config] Done"
|
| 42 |
42 |
|
}
|
| 1 |
1 |
|
[Unit]
|
| 2 |
2 |
|
Description=MNW CLI SSH Server
|
| 3 |
|
- |
After=network.target
|
|
3 |
+ |
Documentation=https://makenot.work/docs
|
|
4 |
+ |
After=network.target makenotwork.service
|
| 4 |
5 |
|
Wants=network-online.target
|
| 5 |
6 |
|
|
| 6 |
7 |
|
[Service]
|
| 7 |
8 |
|
Type=simple
|
| 8 |
|
- |
User=makenotwork
|
| 9 |
|
- |
Group=makenotwork
|
| 10 |
|
- |
ExecStart=/opt/mnw-cli/mnw-cli
|
|
9 |
+ |
User=mnw-cli
|
|
10 |
+ |
Group=mnw-cli
|
| 11 |
11 |
|
WorkingDirectory=/opt/mnw-cli
|
| 12 |
|
- |
EnvironmentFile=/opt/mnw-cli/.env
|
| 13 |
|
- |
Restart=on-failure
|
|
12 |
+ |
ExecStart=/opt/mnw-cli/mnw-cli
|
|
13 |
+ |
Restart=always
|
| 14 |
14 |
|
RestartSec=5
|
| 15 |
|
- |
StandardOutput=journal
|
| 16 |
|
- |
StandardError=journal
|
|
15 |
+ |
|
|
16 |
+ |
# Environment
|
|
17 |
+ |
EnvironmentFile=/opt/mnw-cli/.env
|
|
18 |
+ |
Environment=HOME=/opt/mnw-cli
|
| 17 |
19 |
|
|
| 18 |
20 |
|
# Security hardening
|
| 19 |
21 |
|
NoNewPrivileges=true
|
| 20 |
22 |
|
ProtectSystem=strict
|
| 21 |
23 |
|
ProtectHome=true
|
| 22 |
|
- |
ReadWritePaths=/opt/mnw-cli /var/lib/mnw-cli
|
| 23 |
24 |
|
PrivateTmp=true
|
|
25 |
+ |
ReadWritePaths=/opt/mnw-cli /var/lib/mnw-cli
|
|
26 |
+ |
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
27 |
+ |
RestrictNamespaces=true
|
|
28 |
+ |
RestrictRealtime=true
|
|
29 |
+ |
RestrictSUIDSGID=true
|
|
30 |
+ |
LockPersonality=true
|
|
31 |
+ |
ProtectKernelTunables=true
|
|
32 |
+ |
ProtectKernelModules=true
|
|
33 |
+ |
ProtectControlGroups=true
|
|
34 |
+ |
SystemCallArchitectures=native
|
|
35 |
+ |
|
|
36 |
+ |
# Resource limits
|
|
37 |
+ |
LimitNOFILE=4096
|
|
38 |
+ |
MemoryMax=512M
|
|
39 |
+ |
TasksMax=512
|
|
40 |
+ |
|
|
41 |
+ |
# Logging
|
|
42 |
+ |
StandardOutput=journal
|
|
43 |
+ |
StandardError=journal
|
|
44 |
+ |
SyslogIdentifier=mnw-cli
|
| 24 |
45 |
|
|
| 25 |
46 |
|
[Install]
|
| 26 |
47 |
|
WantedBy=multi-user.target
|