inv_sig_helper/inv_sig_helper.service

[Unit]
Description=inv_sig_helper (decrypt YouTube signatures and manage player information)
After=syslog.target
After=network.target

[Service]
RestartSec=2s
Type=simple

User=invidious
Group=invidious

# allow only the strict necessary since this service runs untrusted code directly from Google
CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP
CapabilityBoundingSet=~CAP_SYS_ADMIN
CapabilityBoundingSet=~CAP_SYS_PTRACE
CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP
CapabilityBoundingSet=~CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER
CapabilityBoundingSet=~CAP_NET_ADMIN
CapabilityBoundingSet=~CAP_SYS_MODULE
CapabilityBoundingSet=~CAP_SYS_RAWIO
CapabilityBoundingSet=~CAP_SYS_TIME
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_KILL
CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYSLOG
CapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCE
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_SYS_BOOT
CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE
CapabilityBoundingSet=~CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_SYS_CHROOT
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
CapabilityBoundingSet=~CAP_LEASE
CapabilityBoundingSet=~CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_WAKE_ALARM
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProcSubset=pid
ProtectControlGroups=true
ProtectHome=tmpfs
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@swap
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@obsolete

BindReadOnlyPaths=/home/invidious/inv_sig_helper
BindPaths=/home/invidious/tmp

WorkingDirectory=/home/invidious/inv_sig_helper
ExecStart=/home/invidious/inv_sig_helper/target/release/inv_sig_helper_rust /home/invidious/tmp/inv_sig_helper.sock

Restart=always

[Install]
WantedBy=multi-user.target
Systemd service file (#22) * Add example systemd service file * Mention systemd service file in README 2024-09-22 16:43:22 +00:00			`[Unit]`
			`Description=inv_sig_helper (decrypt YouTube signatures and manage player information)`
			`After=syslog.target`
			`After=network.target`

			`[Service]`
			`RestartSec=2s`
			`Type=simple`

			`User=invidious`
			`Group=invidious`

			`# allow only the strict necessary since this service runs untrusted code directly from Google`
			`CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP`
			`CapabilityBoundingSet=~CAP_SYS_ADMIN`
			`CapabilityBoundingSet=~CAP_SYS_PTRACE`
			`CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP`
			`CapabilityBoundingSet=~CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER`
			`CapabilityBoundingSet=~CAP_NET_ADMIN`
			`CapabilityBoundingSet=~CAP_SYS_MODULE`
			`CapabilityBoundingSet=~CAP_SYS_RAWIO`
			`CapabilityBoundingSet=~CAP_SYS_TIME`
			`CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE`
			`CapabilityBoundingSet=~CAP_KILL`
			`CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW`
			`CapabilityBoundingSet=~CAP_SYSLOG`
			`CapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCE`
			`CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE`
			`CapabilityBoundingSet=~CAP_SYS_BOOT`
			`CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE`
			`CapabilityBoundingSet=~CAP_IPC_LOCK`
			`CapabilityBoundingSet=~CAP_SYS_CHROOT`
			`CapabilityBoundingSet=~CAP_BLOCK_SUSPEND`
			`CapabilityBoundingSet=~CAP_LEASE`
			`CapabilityBoundingSet=~CAP_SYS_PACCT`
			`CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG`
			`CapabilityBoundingSet=~CAP_WAKE_ALARM`
			`LockPersonality=true`
			`MemoryDenyWriteExecute=true`
			`NoNewPrivileges=true`
			`PrivateDevices=true`
			`PrivateTmp=true`
			`PrivateUsers=true`
			`ProcSubset=pid`
			`ProtectControlGroups=true`
			`ProtectHome=tmpfs`
			`ProtectHostname=true`
			`ProtectKernelLogs=true`
			`ProtectKernelModules=true`
			`ProtectKernelTunables=true`
			`ProtectProc=invisible`
			`ProtectSystem=strict`
			`RemoveIPC=true`
			`RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX`
			`RestrictNamespaces=true`
			`RestrictSUIDSGID=true`
			`RestrictRealtime=true`
			`SystemCallArchitectures=native`
			`SystemCallFilter=~@clock`
			`SystemCallFilter=~@debug`
			`SystemCallFilter=~@module`
			`SystemCallFilter=~@mount`
			`SystemCallFilter=~@raw-io`
			`SystemCallFilter=~@reboot`
			`SystemCallFilter=~@swap`
			`SystemCallFilter=~@privileged`
			`SystemCallFilter=~@resources`
			`SystemCallFilter=~@cpu-emulation`
			`SystemCallFilter=~@obsolete`

			`BindReadOnlyPaths=/home/invidious/inv_sig_helper`
			`BindPaths=/home/invidious/tmp`

			`WorkingDirectory=/home/invidious/inv_sig_helper`
			`ExecStart=/home/invidious/inv_sig_helper/target/release/inv_sig_helper_rust /home/invidious/tmp/inv_sig_helper.sock`

			`Restart=always`

			`[Install]`
			`WantedBy=multi-user.target`