Bug#1010126: FYI working example .service
Trent W. Buck
trentbuck at gmail.com
Tue Oct 4 05:34:21 BST 2022
Please find attached the .service I am using on Debian 11.
You don't need all of this crap, I guess.
* The msmtp stuff is only needed if you have a git post-commit hook that
makes git send an email.
* The nginx stuff is only needed if you want to have >1 web app on the standard port.
* The tmpfiles stuff (and git config core.sharedRepository)
is only needed if users want to bypass the web UI and edit .pages directly.
It's also a bit broken (adds needless execute permissions) right now.
* The theme stuff is only needed if you hate the default theme.
https://github.com/trentbuck/gitit-bootstrap-theme/
For simple cases, you could probably replace the sysusers file with DynamicUser=yes,
and just have gitit store all its state in /var/lib/gitit (StateDirectory=%p).
The only issue I've had with this setup so far is gitit claiming static files disappear, when they don't.
There's no user-visible impact when this happens.
It wasn't happening on the old (2010-era) gitit install I had running under upstart.
-- Journal begins at Sat 2022-08-06 18:32:36 AEST, ends at Tue 2022-10-04 15:29:20 AEDT. --
Sep 26 12:54:20 heavy systemd[1]: Started gitit.service.
Sep 26 12:55:19 heavy gitit[2522]: HTTP request failed with: Network.Socket.sendBuf: resource vanished (Broken pipe)
Sep 26 12:55:29 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/bootstrap4/css/bootstrap.min.css: withFd: resource vanished (Broken pipe)
Sep 26 12:55:29 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/logo.svg: withFd: resource vanished (Broken pipe)
Sep 26 12:55:29 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd: resource vanished (Broken pipe)
Sep 26 12:55:29 heavy gitit[2522]: HTTP request failed with: /usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished (Broken pipe)
Sep 26 12:55:41 heavy gitit[2522]: HTTP request failed with: Network.Socket.sendBuf: resource vanished (Broken pipe)
Sep 26 12:55:46 heavy gitit[2522]: HTTP request failed with: Network.Socket.sendBuf: resource vanished (Broken pipe)
Sep 26 16:26:34 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe)
Sep 26 18:00:09 heavy gitit[2522]: HTTP request failed with: Network.Socket.sendBuf: resource vanished (Broken pipe)
Sep 26 23:43:33 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd: resource vanished (Broken pipe)
Sep 26 23:43:33 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd: resource vanished (Broken pipe)
Sep 26 23:43:33 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/fonts-fork-awesome/fonts/forkawesome-webfont.woff2: withFd: resource vanished (Broken pipe)
Sep 26 23:43:33 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Connection reset by peer)
Sep 27 12:53:13 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe)
Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with: /usr/share/gitit/data/static/js/footnotes.js: withFd: resource vanished (Broken pipe)
Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/logo.svg: withFd: resource vanished (Broken pipe)
Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with: /usr/share/gitit/data/static/js/jquery.min.js: withFd: resource vanished (Broken pipe)
Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd: resource vanished (Broken pipe)
Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with: /usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished (Broken pipe)
Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd: resource vanished (Broken pipe)
Sep 28 19:25:00 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe)
Sep 28 19:25:27 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe)
Sep 29 10:02:17 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe)
Oct 03 06:44:23 heavy systemd[1]: Stopping gitit.service...
Oct 03 06:44:23 heavy systemd[1]: gitit.service: Succeeded.
Oct 03 06:44:23 heavy systemd[1]: Stopped gitit.service.
Oct 03 06:44:23 heavy systemd[1]: gitit.service: Consumed 8h 33min 81ms CPU time.
Oct 03 06:44:23 heavy systemd[1]: Started gitit.service.
Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/js/custom.js: withFd: resource vanished (Broken pipe)
Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/logo.svg: withFd: resource vanished (Broken pipe)
Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/js/jquery.min.js: withFd: resource vanished (Broken pipe)
Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished (Broken pipe)
Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd: resource vanished (Broken pipe)
Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/js/sidebar.js: withFd: resource vanished (Broken pipe)
Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/js/jquery.min.js: withFd: resource vanished (Broken pipe)
Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/js/custom.js: withFd: resource vanished (Broken pipe)
Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/js/footnotes.js: withFd: resource vanished (Broken pipe)
Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe)
Oct 04 13:45:34 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/bootstrap4/css/bootstrap.min.css: withFd: resource vanished (Broken pipe)
Oct 04 13:45:34 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished (Broken pipe)
Oct 04 13:45:34 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd: resource vanished (Broken pipe)
Oct 04 13:48:29 heavy gitit[1990076]: HTTP request failed with: Network.Socket.sendBuf: resource vanished (Broken pipe)
Oct 04 13:55:23 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/js/custom.js: withFd: resource vanished (Broken pipe)
Oct 04 14:28:10 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd: resource vanished (Broken pipe)
Oct 04 14:28:10 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe)
Oct 04 14:28:17 heavy gitit[1990076]: HTTP request failed with: Network.Socket.sendBuf: resource vanished (Broken pipe)
Oct 04 14:29:48 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished (Broken pipe)
Oct 04 14:38:14 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd: resource vanished (Broken pipe)
Oct 04 14:38:14 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished (Broken pipe)
Oct 04 14:38:14 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd: resource vanished (Broken pipe)
-------------- next part --------------
[Service]
ExecStart=gitit --config-file=/etc/gitit.conf
[Install]
WantedBy=multi-user.target
# Hardening
[Service]
User=%p
LogsDirectory=%p
StateDirectory=%p
RuntimeDirectory=%p
WorkingDirectory=/run/%p
CacheDirectory=%p
ConfigurationDirectory=%p
ReadWritePaths=/srv/vcs/kb
# FIXME: gitit cannot listen on gitit.sock or systemd socket-activate yet.
# https://github.com/jgm/gitit/issues/675
# therefore we cannot do
# PrivateNetwork=yes
# RestrictAddressFamilies=~AF_INET
# RestrictAddressFamilies=~AF_INET6
# IPAddressDeny=any
CapabilityBoundingSet=
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
DevicePolicy=closed
IPAddressDeny=any
IPAddressAllow=localhost
NoNewPrivileges=yes
PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RemoveIPC=yes
UMask=0077
ProtectHostname=yes
ProcSubset=pid
-------------- next part --------------
NAME DESCRIPTION EXPOSURE
? PrivateNetwork= Service has access to the host's network 0.5
? User=/DynamicUser= Service runs under a static non-root user identity
? CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities
? CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges
? CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities
? RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
? RestrictNamespaces=~CLONE_NEWUSER Service cannot create user namespaces
? RestrictAddressFamilies=~? Service cannot allocate exotic sockets
? CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities
? CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks
? CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration privileges
? CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules
? CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access
? CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock
? DeviceAllow= Service has a device ACL with some special devices 0.1
? IPAddressDeny= Service defines IP address allow list with only localhost entries 0.1
? KeyringMode= Service doesn't share key material with other services
? NoNewPrivileges= Service processes cannot acquire new privileges
? NotifyAccess= Service child processes cannot alter service state
? PrivateDevices= Service has no access to hardware devices
? PrivateMounts= Service cannot install system mounts
? PrivateTmp= Service has no access to other software's temporary files
? PrivateUsers= Service does not have access to other users
? ProtectClock= Service cannot write to the hardware clock or system clock
? ProtectControlGroups= Service cannot modify the control group file system
? ProtectHome= Service has no access to home directories
? ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer
? ProtectKernelModules= Service cannot load or read kernel modules
? ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, ?)
? ProtectProc= Service has restricted access to process tree (/proc hidepid=)
? ProtectSystem= Service has strict read-only access to the OS file hierarchy
? RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets
? RestrictSUIDSGID= SUID/SGID file creation by service is restricted
? SystemCallArchitectures= Service may execute system calls only with native ABI
? SystemCallFilter=~@clock System call allow list defined for service, and @clock is not included
? SystemCallFilter=~@debug System call allow list defined for service, and @debug is not included
? SystemCallFilter=~@module System call allow list defined for service, and @module is not included
? SystemCallFilter=~@mount System call allow list defined for service, and @mount is not included
? SystemCallFilter=~@raw-io System call allow list defined for service, and @raw-io is not included
? SystemCallFilter=~@reboot System call allow list defined for service, and @reboot is not included
? SystemCallFilter=~@swap System call allow list defined for service, and @swap is not included
? SystemCallFilter=~@privileged System call allow list defined for service, and @privileged is not included
? SystemCallFilter=~@resources System call allow list defined for service, and @resources is not included
? AmbientCapabilities= Service process does not receive ambient capabilities
? CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access
? CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes
? CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes
? CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no elevated networking privileges
? CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging
? CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters
? RestrictNamespaces=~CLONE_NEWCGROUP Service cannot create cgroup namespaces
? RestrictNamespaces=~CLONE_NEWIPC Service cannot create IPC namespaces
? RestrictNamespaces=~CLONE_NEWNET Service cannot create network namespaces
? RestrictNamespaces=~CLONE_NEWNS Service cannot create file system namespaces
? RestrictNamespaces=~CLONE_NEWPID Service cannot create process namespaces
? RestrictRealtime= Service realtime scheduling access is restricted
? SystemCallFilter=~@cpu-emulation System call allow list defined for service, and @cpu-emulation is not included
? SystemCallFilter=~@obsolete System call allow list defined for service, and @obsolete is not included
? RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
? RootDirectory=/RootImage= Service runs within the host's root directory 0.1
? SupplementaryGroups= Service has no supplementary groups
? CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC
? CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot()
? Delegate= Service does not maintain its own delegated control group subtree
? LockPersonality= Service cannot change ABI personality
? MemoryDenyWriteExecute= Service cannot create writable executable memory mappings
? RemoveIPC= Service user cannot leave SysV IPC objects around
? RestrictNamespaces=~CLONE_NEWUTS Service cannot create hostname namespaces
? UMask= Files created by service are accessible only by service's own user by default
? CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable
? CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM
? CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot()
? ProtectHostname= Service cannot change system host/domainname
? CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks
? CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases
? CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct()
? CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup()
? CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system
? RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
? ProcSubset= Service has no access to non-process /proc files (/proc subset=)
? Overall exposure level for gitit.service: 1.0 OK ?
-------------- next part --------------
# Tell systemd to create system user 'gitit'
u gitit - - -
-------------- next part --------------
# Tell systemd to create grant user 'gitit' write access to KB repo
# FIXME: this was not working.
# When browsing to gitit, the browser got back this:
# "git: runProcess: runInteractiveProcess: chdir: permission denied (Permission denied)"
# That was while the files looked like this:
#
# $ ls -la /srv/vcs/kb
# total 32
# drwxrwSr-x+ 3 twb cyber 4 Sep 9 23:10 .
# drwxrwsr-x 3 root cyber 3 Sep 9 23:10 ..
# drwxrwSr-x+ 8 twb cyber 13 Sep 9 23:10 .git
# -rw-rw-r--+ 1 twb cyber 26 Sep 9 23:10 'Knowledge Base.page'
#
# However a simple "sudo chown -Rh gitit:cyber /srv/vcs/kb" worked...
#
# A /srv/vcs/kb - - - - d:user:gitit:rwx,user:gitit:rw-
#
# What if I try being a bit more liberal?
# Seems to be better with this config:
#
#
#
# getfacl: Removing leading '/' from absolute path names
# # file: srv/vcs/kb
# # owner: root
# # group: root
# user::rwx
# user:gitit:rwx
# group::rwx
# group:gitit:rwx
# group:cyber:rwx
# mask::rwx
# other::---
# default:user::rwx
# default:user:gitit:rwx
# default:group::rwx
# default:group:cyber:rwx
# default:mask::rwx
# default:other::---
#
# getfacl: Removing leading '/' from absolute path names
# # file: srv/vcs/kb/.git/config
# # owner: root
# # group: root
# user::rwx
# user:gitit:rwx
# group::rwx
# group:gitit:rwx
# group:cyber:rwx
# mask::rwx
# other::---
#
A /srv/vcs/kb - - - - default:user::rwx,user::rwx
A+ /srv/vcs/kb - - - - default:user:gitit:rwx,user:gitit:rwx
A+ /srv/vcs/kb - - - - default:group::rwx,group:gitit:rwx
A+ /srv/vcs/kb - - - - default:group:cyber:rwx,group:cyber:rwx
A+ /srv/vcs/kb - - - - default:other::---,other::---
-------------- next part --------------
# See gitit --print-default-config for documentation.
default-page-type: RST
log-file: /var/log/gitit/gitit.log
# Use this to log every GET request.
# NOTE: if you do this, set up a logrotate rule for gitit!
#log-level: INFO
port: 5001
repository-path: /srv/vcs/kb
static-dir: /usr/share/javascript/gitit-bootstrap-theme/static
templates-dir: /usr/share/javascript/gitit-bootstrap-theme/templates
user-file: /var/lib/gitit/gitit-users
wiki-title: Knowledge Base - Cyber IT Solutions
# FIXME: the cache doesn't know about updates made directly via git
# (as opposed to via the web UI). This could be fixed by having git
# delete the cached version of a file when its source is updated.
#use-cache: yes
cache-dir: /var/cache/gitit
# We used to use apache-mod-ldap to authenticate.
# Now we use in-app authentication (like apache).
# Then our theme sets everyone's password to a dummy password.
# This is because it is behind the VPN, and
# we do not give a shit about employees spoofing one another in the KB.
# They could always do it via "git commit --author=" anyway.
# authentication-method: form
# Long ago the cyber IRC bot would cross-announce RSS changes.
# Nobody cared about this, and the new limnoria bot did not keep this.
# Therefore, turn off the server side of it.
# use-feed: yes
#pandoc-user-data: /usr/share/pandoc/data/
#pdf-export: no
front-page: Knowledge Base
no-delete:
no-edit:
# Default upload size from the web UI is 100kB;
# uploads from git are of course unrestricted.
# Since Ron is too lazy to learn git, I am obliged to add this line.
# UPDATE: Ron knows git these days.
#max-upload-size: 1M
# Disable mathjax -- IMO we do not need to hotlink to cdnjs.cloudflare.com.
math: no
# A security thing. Probably on by default, but does not hurt to be explicit.
xss-sanitize: yes
-------------- next part --------------
# This is necessary so a hardened daemon (e.g. gitit.service) can
# send mail. The normal /usr/sbin/sendmail is setgid maildrop.
# If the systemd unit is hardened, NoNewPrivileges= prevents setgid.
# So, instead, be an SMTP client to localhost.
# postfix trusts localhost, so then postfix can take over from there.
account default
host localhost
auto_from on
maildomain cyber.com.au
# Unlike "dpkg-reconfigure msmtp", we want syslog to be on for easier debugging.
syslog on
# Don't use /etc/aliases, because postfix will/does use it, and
# postfix has substantially more complicated flows than msmtprc.
# UPDATE: actually don't use this at all, for now. -- twb, Sep 2022
#aliases /etc/msmtprc-aliases
# We don't really care about this one, but it does not hurt.
tls_trust_file /etc/ssl/certs/ca-certificates.crt
-------------- next part --------------
default: sysadmin-heavy at cyber.com.au
-------------- next part --------------
server {
listen 80;
listen [::]:80;
server_name kb.cyber.com.au;
# Serve ACME http-01 challenges directly.
location /.well-known/ {
root /var/www/html/;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name kb.cyber.com.au;
ssl_certificate /etc/letsencrypt-uacme/kb.cyber.com.au/cert.pem;
ssl_certificate_key /etc/letsencrypt-uacme/private/kb.cyber.com.au/key.pem;
# Serve ACME http-01 challenges directly.
location /.well-known/ {
root /var/www/html/;
}
# Everything else serve directly.
# BUT ONLY TO PEOPLE IN THE OFFICE OR ON THE VPN!!!
location / {
proxy_pass http://localhost:5001/;
allow 203.7.155.0/24;
allow 10.194.71.0/24; # wireguard users
allow 127.0.0.0/8;
deny all;
}
}
More information about the Pkg-haskell-maintainers
mailing list