reorganize configurations into etc directory

2025-09-18 19:54:46 -04:00 · 2025-04-15 12:32:52 -04:00 · 2025-04-15 12:32:52 -04:00 · 1f4d7316b8
commit 1f4d7316b8
parent b5fd158374
106 changed files with 18 additions and 18 deletions
--- a/etc/systemd/system/-.slice.d/override.conf
+++ b/etc/systemd/system/-.slice.d/override.conf
@ -0,0 +1,2 @@
+[Slice]
+ManagedOOMSwap=kill
--- a/etc/systemd/system/attestation.service.d/override.conf
+++ b/etc/systemd/system/attestation.service.d/override.conf
@ -0,0 +1,3 @@
+[Service]
+IPAddressAllow={{ipv4_address}}
+IPAddressAllow={{ipv6_address}}
--- a/etc/systemd/system/certbot-ocsp-fetcher.service
+++ b/etc/systemd/system/certbot-ocsp-fetcher.service
@ -0,0 +1,57 @@
+[Unit]
+Description=Fetch OCSP responses for all certificates issued with Certbot
+
+[Service]
+Type=oneshot
+
+Restart=on-failure
+
+CacheDirectory=%N
+
+User=root
+Group=root
+ExecStart=%N --no-reload-webserver
+ExecStartPost=systemctl reload nginx.service
+
+RestartSec=5
+PrivateDevices=true
+PrivateTmp=yes
+PrivateUsers=yes
+PrivateIPC=true
+
+NoNewPrivileges=true
+LockPersonality=true
+
+CapabilityBoundingSet=
+ProtectHome=yes
+ProtectControlGroups=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectClock=true
+ProtectProc=invisible
+ProcSubset=pid
+ProtectHostname=true
+RemoveIPC=true
+
+RestrictAddressFamilies=AF_INET6 AF_INET AF_UNIX
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+DevicePolicy=strict
+DeviceAllow=/dev/random r
+DeviceAllow=/dev/urandom r
+DeviceAllow=/dev/stdin r
+DeviceAllow=/dev/stdout r
+DeviceAllow=/dev/null w
+
+ProtectSystem=strict
+InaccessiblePaths=/root/
+ReadOnlyPaths=/etc/letsencrypt
+UMask=0077
+
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@clock @debug @module @mount @reboot @swap @resources @cpu-emulation @raw-io @obsolete @keyring @privileged
--- a/etc/systemd/system/certbot-ocsp-fetcher.timer
+++ b/etc/systemd/system/certbot-ocsp-fetcher.timer
@ -0,0 +1,10 @@
+[Unit]
+Description=Nightly run %N
+
+[Timer]
+OnCalendar=*-*-* 01:00:00
+RandomizedDelaySec=21600
+Persistent=true
+
+[Install]
+WantedBy=timers.target
--- a/etc/systemd/system/certbot-renew.service.d/override.conf
+++ b/etc/systemd/system/certbot-renew.service.d/override.conf
@ -0,0 +1,29 @@
+[Service]
+CapabilityBoundingSet=
+CPUSchedulingPolicy=batch
+ExecStart=
+ExecStart=/usr/bin/certbot -q renew --no-random-sleep-on-renew --max-log-backups 0
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=read-only
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/etc/letsencrypt /var/lib/letsencrypt /var/log/letsencrypt -/srv/certbot -/var/cache/certbot-ocsp-fetcher
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @obsolete
--- a/etc/systemd/system/chronyd.service.d/override.conf
+++ b/etc/systemd/system/chronyd.service.d/override.conf
@ -0,0 +1,9 @@
+[Service]
+NoNewPrivileges=yes
+ReadWritePaths=
+ReadWritePaths=/run /var/lib/chrony -/var/log
+Restart=always
+RestartMaxDelaySec=10s
+RestartSec=100ms
+RestartSteps=5
+RestrictAddressFamilies=~AF_NETLINK
--- a/etc/systemd/system/fstrim.service.d/override.conf
+++ b/etc/systemd/system/fstrim.service.d/override.conf
@ -0,0 +1,7 @@
+[Unit]
+Wants=xfs_fsr.service
+After=xfs_fsr.service
+
+[Service]
+CPUSchedulingPolicy=idle
+IOSchedulingClass=idle
--- a/etc/systemd/system/fstrim.timer.d/override.conf
+++ b/etc/systemd/system/fstrim.timer.d/override.conf
@ -0,0 +1,6 @@
+[Unit]
+Description=Discard unused filesystem blocks once a day
+
+[Timer]
+OnCalendar=
+OnCalendar=daily
--- a/etc/systemd/system/nginx-create-session-ticket-keys.service
+++ b/etc/systemd/system/nginx-create-session-ticket-keys.service
@ -0,0 +1,11 @@
+[Unit]
+Description=Create nginx TLS session ticket keys
+Before=nginx.service
+
+[Service]
+ExecStart=/usr/local/bin/nginx-create-session-ticket-keys
+Type=oneshot
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target
--- a/etc/systemd/system/nginx-rotate-session-ticket-keys.service
+++ b/etc/systemd/system/nginx-rotate-session-ticket-keys.service
@ -0,0 +1,9 @@
+[Unit]
+Description=Rotate nginx TLS session ticket keys
+After=nginx.service nginx-create-session-ticket-keys.service
+Requires=nginx.service nginx-create-session-ticket-keys.service
+
+[Service]
+ExecStart=/usr/local/bin/nginx-rotate-session-ticket-keys
+Type=oneshot
+UMask=0077
--- a/etc/systemd/system/nginx-rotate-session-ticket-keys.timer
+++ b/etc/systemd/system/nginx-rotate-session-ticket-keys.timer
@ -0,0 +1,8 @@
+[Unit]
+Description=Run nginx-rotate-session-ticket-keys three times daily
+
+[Timer]
+OnCalendar=0/8:00:00
+
+[Install]
+WantedBy=timers.target
--- a/etc/systemd/system/nginx.service.d/override.conf
+++ b/etc/systemd/system/nginx.service.d/override.conf
@ -0,0 +1,30 @@
+[Service]
+CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateIPC=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/var/lib/nginx /var/log/nginx -/var/cache/nginx
+Restart=always
+RestartMaxDelaySec=10s
+RestartSec=100ms
+RestartSteps=5
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RuntimeDirectory=nginx
+RuntimeDirectoryMode=700
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@obsolete
--- a/etc/systemd/system/plocate-updatedb.service.d/override.conf
+++ b/etc/systemd/system/plocate-updatedb.service.d/override.conf
@ -0,0 +1,2 @@
+[Service]
+CPUSchedulingPolicy=idle
--- a/etc/systemd/system/sshd.service.d/override.conf
+++ b/etc/systemd/system/sshd.service.d/override.conf
@ -0,0 +1,3 @@
+[Service]
+LimitNOFILE=8192
+ManagedOOMPreference=avoid
--- a/etc/systemd/system/sysstat-collect.timer.d/override.conf
+++ b/etc/systemd/system/sysstat-collect.timer.d/override.conf
@ -0,0 +1,7 @@
+[Unit]
+Description=Run system activity accounting tool every minute
+
+[Timer]
+AccuracySec=1us
+OnCalendar=
+OnCalendar=minutely
--- a/etc/systemd/system/system.slice.d/override.conf
+++ b/etc/systemd/system/system.slice.d/override.conf
@ -0,0 +1,3 @@
+[Slice]
+MemoryLow=64M
+MemoryMin=64M
--- a/etc/systemd/system/systemd-boot-update.service.d/local.conf
+++ b/etc/systemd/system/systemd-boot-update.service.d/local.conf
@ -0,0 +1,2 @@
+[Service]
+Environment=SYSTEMD_RELAX_ESP_CHECKS=1
--- a/etc/systemd/system/unbound.service.d/override.conf
+++ b/etc/systemd/system/unbound.service.d/override.conf
@ -0,0 +1,5 @@
+[Service]
+Restart=always
+RestartMaxDelaySec=10s
+RestartSec=100ms
+RestartSteps=5
--- a/etc/systemd/system/xfs_fsr.service
+++ b/etc/systemd/system/xfs_fsr.service
@ -0,0 +1,12 @@
+[Unit]
+Description=XFS filesystem reorganization
+
+[Service]
+CPUSchedulingPolicy=idle
+ExecStart=/usr/bin/xfs_fsr -f /var/lib/.fsrlast
+IOSchedulingClass=idle
+IPAddressDeny=any
+MemoryDenyWriteExecute=true
+PrivateIPC=true
+PrivateNetwork=true
+Type=oneshot