[arch-commits] Commit in bitwarden_rs/trunk (3 files)
Date: Wednesday, November 25, 2020 @ 00:36:36 Author: polyzen Revision: 761026 upgpkg: bitwarden_rs 1.17.0-5: Do not log in two places by default Also add systemd unit drop-in suggestions to post_install(). Modified: bitwarden_rs/trunk/PKGBUILD bitwarden_rs/trunk/bitwarden_rs.install bitwarden_rs/trunk/bitwarden_rs.service --+ PKGBUILD |7 +++ bitwarden_rs.install | 18 +- bitwarden_rs.service |2 +- 3 files changed, 21 insertions(+), 6 deletions(-) Modified: PKGBUILD === --- PKGBUILD2020-11-25 00:36:13 UTC (rev 761025) +++ PKGBUILD2020-11-25 00:36:36 UTC (rev 761026) @@ -4,7 +4,7 @@ pkgname=bitwarden_rs pkgver=1.17.0 -pkgrel=4 +pkgrel=5 pkgdesc='Unofficial Bitwarden compatible server written in Rust' arch=('x86_64') url=https://github.com/dani-garcia/bitwarden_rs @@ -12,7 +12,6 @@ depends=('mariadb-libs' 'openssl' 'postgresql-libs' 'sqlite') makedepends=('rustup') optdepends=('bitwarden_rs-vault: for the web app') -conflicts=("$pkgname-mysql" "$pkgname-postgresql") backup=('etc/bitwarden_rs.env') install=$pkgname.install source=("$url/archive/$pkgver/$pkgname-$pkgver.tar.gz" @@ -20,7 +19,7 @@ "$pkgname.sysusers.conf" "$pkgname.tmpfiles") b2sums=('faf4a3e0cba6905547c347bd8d7939e2412116d5c9b226e49cddd04306b6e69e00e1f5d7b1b09493ff02614d5417b34cd9c54cb3efffbf238e23e3f54bacd5d1' - 'c344164792bc9f9d5b485f932d2c476515d783cb54478e60fb8ca3c17f5781e067af0d2dff0670886fd186427c78e986f544f66d34e936db9f719c7f0be156e3' + '22bc90b8c49b6a26610ec840f04481fe3c7fcffc82434df3ee6adba4555787ba44c7b58dfcb181a28d4a6c943db6e7f7f439b67995c5aa06c23035002765de09' 'c44af94e19724ba23a11cec3ccc46ff9db307a058564d539dc533308e75ff43cfb5e42515bd49fdeb86e02cbc7575dc87c3b132d9d28d49f7e8fedab598c06f5' 'a2a6a128a405b4dbd06eb84c25b1971a5dcab4b918d6fec74da317b76485eda6b4b16ad972a85d9c8267b0a848787761fae75cd6bbb81d970a8cbc8683a2fc42') @@ -28,7 +27,7 @@ cd $pkgname-$pkgver sed -i 's,# DATA_FOLDER=data,DATA_FOLDER=/var/lib/bitwarden_rs, s,# WEB_VAULT_ENABLED=true,WEB_VAULT_ENABLED=false, - s,# LOG_FILE=/path/to/log,LOG_FILE=/var/log/bitwarden_rs.log, + s,# LOG_FILE=/path/to/log,# LOG_FILE=/var/log/bitwarden_rs.log, /^# ROCKET_TLS/a ROCKET_LIMITS={json=10485760}' .env.template } Modified: bitwarden_rs.install === --- bitwarden_rs.install2020-11-25 00:36:13 UTC (rev 761025) +++ bitwarden_rs.install2020-11-25 00:36:36 UTC (rev 761026) @@ -2,7 +2,23 @@ cat << EOF Configure the server via its environment variables in /etc/bitwarden_rs.env. +If bitwarden_rs is run at ports >1024, you should apply these systemd unit +options via a drop-in file: +[Service] +CapabilityBoundingSet= +AmbientCapabilities= +PrivateUsers=yes + +If the service produces too much noise in your journal, you can redirect stdout +to /dev/null (bitwarden_rs will still also write to /var/log/bitwarden_rs.log +if configured to do so): +[Service] +StandardOutput=null + +Create or edit drop-in file: +# systemctl edit bitwarden_rs + Start bitwarden_rs and enable its systemd service: -# systemctl enable --now bitwarden_rs.service +# systemctl enable --now bitwarden_rs EOF } Modified: bitwarden_rs.service === --- bitwarden_rs.service2020-11-25 00:36:13 UTC (rev 761025) +++ bitwarden_rs.service2020-11-25 00:36:36 UTC (rev 761026) @@ -14,7 +14,7 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE -# If bitwarden_rs is run at ports >1024, you should apply these options in a +# If bitwarden_rs is run at ports >1024, you should apply these options via a # drop-in file #CapabilityBoundingSet= #AmbientCapabilities=
[arch-commits] Commit in bitwarden_rs/trunk (3 files)
Date: Tuesday, November 24, 2020 @ 22:13:57 Author: polyzen Revision: 761016 upgpkg: bitwarden_rs 1.17.0-4: Omit home directory and shell As recommended in sysusers.d(5). Also follow option ordering used in systemd unit manuals. Modified: bitwarden_rs/trunk/PKGBUILD bitwarden_rs/trunk/bitwarden_rs.service bitwarden_rs/trunk/bitwarden_rs.sysusers.conf + PKGBUILD |6 ++-- bitwarden_rs.service | 60 --- bitwarden_rs.sysusers.conf |2 - 3 files changed, 27 insertions(+), 41 deletions(-) Modified: PKGBUILD === --- PKGBUILD2020-11-24 20:51:09 UTC (rev 761015) +++ PKGBUILD2020-11-24 22:13:57 UTC (rev 761016) @@ -4,7 +4,7 @@ pkgname=bitwarden_rs pkgver=1.17.0 -pkgrel=3 +pkgrel=4 pkgdesc='Unofficial Bitwarden compatible server written in Rust' arch=('x86_64') url=https://github.com/dani-garcia/bitwarden_rs @@ -20,8 +20,8 @@ "$pkgname.sysusers.conf" "$pkgname.tmpfiles") b2sums=('faf4a3e0cba6905547c347bd8d7939e2412116d5c9b226e49cddd04306b6e69e00e1f5d7b1b09493ff02614d5417b34cd9c54cb3efffbf238e23e3f54bacd5d1' - '8fc7e0aeed4b17065ddaedad0038e2a635e9bc477170e397a116845249784f3beaa7c241e9706ae64abc1c662eb969ccfa045e21bd805188690bb308e1d88a97' - '1c95c3ba5b40508c0b67bec788ea38468baddd5e0e2b20ff78aaeb99cb5d0b93e29995dc4672a96a7be9a3b0d3a5c5a607576a2db01309ff08231eb4b747b659' + 'c344164792bc9f9d5b485f932d2c476515d783cb54478e60fb8ca3c17f5781e067af0d2dff0670886fd186427c78e986f544f66d34e936db9f719c7f0be156e3' + 'c44af94e19724ba23a11cec3ccc46ff9db307a058564d539dc533308e75ff43cfb5e42515bd49fdeb86e02cbc7575dc87c3b132d9d28d49f7e8fedab598c06f5' 'a2a6a128a405b4dbd06eb84c25b1971a5dcab4b918d6fec74da317b76485eda6b4b16ad972a85d9c8267b0a848787761fae75cd6bbb81d970a8cbc8683a2fc42') prepare() { Modified: bitwarden_rs.service === --- bitwarden_rs.service2020-11-24 20:51:09 UTC (rev 761015) +++ bitwarden_rs.service2020-11-24 22:13:57 UTC (rev 761016) @@ -4,66 +4,52 @@ After=network.target [Service] -# The user/group bitwarden_rs is run under. These are created at install, with -# /var/lib/bitwarden_rs as the home directory +ExecStart=/usr/bin/bitwarden_rs +WorkingDirectory=/var/lib/bitwarden_rs User=bitwarden_rs Group=bitwarden_rs -# The location of the .env file for configuration -EnvironmentFile=/etc/bitwarden_rs.env +# Allow bitwarden_rs to bind ports in the range of 0-1024 and restrict it to +# that capability +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE -# The location of the compiled binary -ExecStart=/usr/bin/bitwarden_rs +# If bitwarden_rs is run at ports >1024, you should apply these options in a +# drop-in file +#CapabilityBoundingSet= +#AmbientCapabilities= +#PrivateUsers=yes -# Set reasonable connection and process limits +NoNewPrivileges=yes + LimitNOFILE=1048576 LimitNPROC=64 +UMask=0077 -# Set the working directory (user and password data are stored here) and only -# allow writes to the following -WorkingDirectory=~ +ProtectSystem=strict +ProtectHome=yes ReadWritePaths=/var/lib/bitwarden_rs /var/log/bitwarden_rs.log - -# Prevent bitwarden_rs from doing anything stupid and/or unneccessary -LockPersonality=yes -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes - PrivateTmp=yes PrivateDevices=yes - -ProtectHome=yes -ProtectSystem=strict +ProtectHostname=yes +ProtectClock=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectControlGroups=yes -ProtectHostname=yes -ProtectClock=yes - RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictSUIDSGID=yes - RemoveIPC=yes -UMask=0077 +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@resources -SystemCallFilter=~@privileged -# Allow bitwarden_rs to bind ports in the range of 0-1024 and restrict it to -# that capability -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -AmbientCapabilities=CAP_NET_BIND_SERVICE +EnvironmentFile=/etc/bitwarden_rs.env -# If bitwarden_rs is run at ports >1024, you should apply these options in a -# drop-in file -#PrivateUsers=yes -#CapabilityBoundingSet= -#AmbientCapabilities= - [Install] WantedBy=multi-user.target Modified: bitwarden_rs.sysusers.conf === --- bitwarden_rs.sysusers.conf 2020-11-24 20:51:09 UTC (rev 761015) +++ bitwarden_rs.sysusers.conf 2020-11-24 22:13:57 UTC (rev 761016) @@ -1 +1 @@ -u bitwarden_rs - "bitwarden_rs user" /var/lib/bitwarden_rs /usr/bin/nologin +u bitwarden_rs - "bitwarden_rs user"