bitmagnet icon indicating copy to clipboard operation
bitmagnet copied to clipboard

Published 20 hours ago verified publisher icon bitmagnet-io

Add systemd service example

Open davispuh opened this issue 1 year ago • 3 comments

If you want to run it 24/7 as proper systemd service then it's useful to have .service. I tried to harden it as much as possible, only few things could be tweaked more like SystemCallFilter but this already should be good enough.

$ systemd-analyze security bitmagnet
[...]
→ Overall exposure level for bitmagnet.service: 1.2 OK 🙂 (lower number means most secure, 10 is most unsafe)

And here's bonus nginx config

upstream bitmagnet {
    server 127.0.0.1:3333;
}

server {
    listen 443 ssl;

    server_name bitmagnet.example.org;

    access_log  /var/log/nginx/bitmagnet.access.log;
    error_log   /var/log/nginx/bitmagnet.error.log;

    # Consider using some auth if you want allow non-local
    allow 127.0.0.0/8;
    allow ::1/128;
    deny all;

    ssl_certificate "/etc/letsencrypt/live/bitmagnet.example.org/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/bitmagnet.example.org/privkey.pem";
    ssl_trusted_certificate "/etc/letsencrypt/live/bitmagnet.example.org/chain.pem";

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=31536000" always;
    add_header X-Frame-Options "DENY";
    add_header X-Content-Type-Options "nosniff";
    add_header Content-Security-Policy "default-src 'self' https:; object-src 'none; frame-src 'none'; base-uri 'self'; img-src https: data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; connect-src https:; sandbox allow-same-origin allow-scripts allow-downloads; trusted-types; require-trusted-types-for 'script';

    location / {
        proxy_pass http://bitmagnet;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

}

davispuh avatar Jan 28 '24 01:01 davispuh

Thanks for this @davispuh . I'm open to adding this, though might it be better in the form of a tutorial for the website? I'd want to do a bit of testing first, which will require some set-up work for me as I'm running through Docker. I will get round to this when I can unless someone can beat me to it and do an independent review of this....

mgdigital avatar Jan 28 '24 15:01 mgdigital

though might it be better in the form of a tutorial for the website?

It can be useful for both. For packaging use case only actual copyable file is usable since trying to extract it out doesn't seem good idea and then everyone would just have their own copies which wouldn't get updated hence copyable upstream file is better.

davispuh avatar Jan 28 '24 16:01 davispuh

I created a bitmagnet LXC and used this service file (updating user/group) and have been running successfully for a couple days.

hardKOrr avatar Feb 21 '24 17:02 hardKOrr