A common and reliable pattern in service unit files is thus:
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
Max Mazurov foxcpp
ageis
/ systemd_service_hardening.md
Last active
December 31, 2025 01:23
Options for hardening systemd service units
epcim
/ action_gnutls_scripted.md
Last active
February 3, 2024 18:50
gnutls certtool ssl tls openssl
this directory holds CA key + wildcard certificates created for new infrastructure the CA key/cert is "ca-cert.pem/key"
TODO:
- create scripts to re-generate client certificates based on NEW CA
- develop procedure to generate client/server certs from template (partialy done)
- develop procedure to generate clr files + revocate certificate + distribute them on public places
There are certain files created by particular editors, IDEs, operating systems, etc., that do not belong in a repository. But adding system-specific files to the repo's .gitignore is considered a poor practice. This file should only exclude files and directories that are a part of the package that should not be versioned (such as the node_modules directory) as well as files that are generated (and regenerated) as artifacts of a build process.
All other files should be in your own global gitignore file:
- Create a file called
.gitignorein your home directory and add any filepath patterns you want to ignore. - Tell git where your global gitignore file is.
Note: The specific name and path you choose aren't important as long as you configure git to find it, as shown below. You could substitute
.config/git/ignorefor.gitignorein your home directory, if you prefer.