mirror of
https://github.com/smallstep/certificates.git
synced 2024-10-31 03:20:16 +00:00
56 lines
1.4 KiB
Desktop File
56 lines
1.4 KiB
Desktop File
[Unit]
|
|
Description=step-ca service
|
|
Documentation=https://smallstep.com/docs/step-ca
|
|
Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
StartLimitIntervalSec=30
|
|
StartLimitBurst=3
|
|
ConditionFileNotEmpty=/etc/step-ca/config/ca.json
|
|
ConditionFileNotEmpty=/etc/step-ca/password.txt
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=step
|
|
Group=step
|
|
Environment=STEPPATH=/etc/step-ca
|
|
WorkingDirectory=/etc/step-ca
|
|
ExecStart=/usr/local/bin/step-ca config/ca.json --password-file password.txt
|
|
ExecReload=/bin/kill --signal HUP $MAINPID
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
TimeoutStopSec=30
|
|
StartLimitInterval=30
|
|
StartLimitBurst=3
|
|
|
|
; Process capabilities & privileges
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
SecureBits=keep-caps
|
|
NoNewPrivileges=yes
|
|
|
|
; Sandboxing
|
|
; This sandboxing works with YubiKey PIV (via pcscd HTTP API), but it is likely
|
|
; too restrictive for PKCS#11 HSMs.
|
|
ProtectSystem=full
|
|
ProtectHome=true
|
|
RestrictNamespaces=true
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
PrivateTmp=true
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
LockPersonality=true
|
|
RestrictSUIDSGID=true
|
|
RemoveIPC=true
|
|
RestrictRealtime=true
|
|
PrivateDevices=true
|
|
SystemCallFilter=@system-service
|
|
MemoryDenyWriteExecute=true
|
|
ReadWriteDirectories=/etc/step-ca/db
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|