stunnel4: Harden and socket-activate.

author: Guilhem Moulin <guilhem@fripost.org> 2020-05-18 15:51:54 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2020-05-18 15:51:54 +0200
commit: 42df93debccbcb1a18cd377b6de0b5b20527312f (patch)
tree: acb669efd9b6f9d0d80e9563d2940192b3753925 /roles/common/files
parent: f3e90041c28a74c94d06f419889691f533422c2f (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service
index 1a30599..4d69702 100644
--- a/roles/common/files/etc/systemd/system/stunnel4@.service
+++ b/roles/common/files/etc/systemd/system/stunnel4@.service
@@ -1,10 +1,15 @@
 [Unit]
 Description=SSL tunnel for network daemons (instance %i)
+Documentation=man:stunnel4(8)
 After=network.target nss-lookup.target
 PartOf=stunnel4.service
 ReloadPropagatedFrom=stunnel4.service
 
 [Service]
+DynamicUser=yes
+; force dynamic user/group allocation (stunnel4 user exists already)
+User=_stunnel4-%i
+Group=_stunnel4-%i
 ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf
 ExecReload=/bin/kill -HUP ${MAINPID}
 KillSignal=SIGINT
author	Guilhem Moulin <guilhem@fripost.org>	2020-05-18 15:51:54 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2020-05-18 15:51:54 +0200
commit	42df93debccbcb1a18cd377b6de0b5b20527312f (patch)
tree	acb669efd9b6f9d0d80e9563d2940192b3753925 /roles/common/files
parent	f3e90041c28a74c94d06f419889691f533422c2f (diff)