wiki/website: harden config and port to Debian 10.

author: Guilhem Moulin <guilhem@fripost.org> 2020-05-16 23:35:25 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2020-05-16 23:35:25 +0200
commit: af8880f3a3281612340ec3d38e823684d9af5baa (patch)
tree: aaf757872144bbaec8201a541a68926ba76cbaf6 /roles/wiki/files/etc/systemd/system/ikiwiki.service
parent: 70f16ac939497e3e424bad05c5f82ce36d1bceda (diff)
1 files changed, 23 insertions, 0 deletions
diff --git a/roles/wiki/files/etc/systemd/system/ikiwiki.service b/roles/wiki/files/etc/systemd/system/ikiwiki.service
new file mode 100644
index 0000000..3ee7d66
--- /dev/null
+++ b/roles/wiki/files/etc/systemd/system/ikiwiki.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=wiki compiler (CGI script)
+Documentation=https://ikiwiki.info/
+
+[Service]
+User=ikiwiki
+Group=ikiwiki
+ExecStart=/usr/sbin/fcgiwrap
+SyslogIdentifier=ikiwiki
+#
+# Hardening
+NoNewPrivileges=yes
+ReadWriteDirectories=/var/lib/ikiwiki/fripost-wiki
+ReadWriteDirectories=/var/lib/ikiwiki/public_html/fripost-wiki
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=strict
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+
+[Install]
+WantedBy=multi-user.target
author	Guilhem Moulin <guilhem@fripost.org>	2020-05-16 23:35:25 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2020-05-16 23:35:25 +0200
commit	af8880f3a3281612340ec3d38e823684d9af5baa (patch)
tree	aaf757872144bbaec8201a541a68926ba76cbaf6 /roles/wiki/files/etc/systemd/system/ikiwiki.service
parent	70f16ac939497e3e424bad05c5f82ce36d1bceda (diff)