From 42df93debccbcb1a18cd377b6de0b5b20527312f Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 18 May 2020 15:51:54 +0200
Subject: stunnel4: Harden and socket-activate.

---
 roles/common/files/etc/systemd/system/stunnel4@.service | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'roles/common/files/etc')

diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service
index 1a30599..4d69702 100644
--- a/roles/common/files/etc/systemd/system/stunnel4@.service
+++ b/roles/common/files/etc/systemd/system/stunnel4@.service
@@ -1,10 +1,15 @@
 [Unit]
 Description=SSL tunnel for network daemons (instance %i)
+Documentation=man:stunnel4(8)
 After=network.target nss-lookup.target
 PartOf=stunnel4.service
 ReloadPropagatedFrom=stunnel4.service
 
 [Service]
+DynamicUser=yes
+; force dynamic user/group allocation (stunnel4 user exists already)
+User=_stunnel4-%i
+Group=_stunnel4-%i
 ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf
 ExecReload=/bin/kill -HUP ${MAINPID}
 KillSignal=SIGINT
-- 
cgit v1.2.3