# HG changeset patch
# User Luke Hoersten <luke@hoersten.org>
# Date 1574004828 21600
# Node ID 18b6a82be777ed52c7f9f8f22d0019fa2cf4097a
# Parent  e5c97510c1c04d6af2e6b4393514e304acb02fbb
Added hardening settings.

diff -r e5c97510c1c0 -r 18b6a82be777 roles/pleroma/templates/pleroma.service.j2
--- a/roles/pleroma/templates/pleroma.service.j2	Sun Nov 17 08:51:19 2019 -0600
+++ b/roles/pleroma/templates/pleroma.service.j2	Sun Nov 17 09:33:48 2019 -0600
@@ -7,13 +7,29 @@
 [Service]
 User={{pleroma_user}}
 WorkingDirectory=/home/{{pleroma_user}}/pleroma
+
 Environment="HOME=/home/{{pleroma_user}}"
 Environment="MIX_ENV=prod"
 Environment="PLUG_TMPDIR=/tmp/{{pleroma_user}}"
+
 ExecStart=/usr/bin/mix phx.server
 ExecReload=/bin/kill $MAINPID
 KillMode=process
 Restart=on-failure
 
+; Some security directives.
+; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
+PrivateTmp=true
+; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false.
+ProtectHome=false
+; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
+ProtectSystem=full
+; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
+PrivateDevices=false
+; Ensures that the service process and all its children can never gain new privileges through execve().
+NoNewPrivileges=true
+; Drops the sysadmin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+
 [Install]
 WantedBy=multi-user.target
diff -r e5c97510c1c0 -r 18b6a82be777 roles/pleroma/templates/prod.secret.exs.j2
--- a/roles/pleroma/templates/prod.secret.exs.j2	Sun Nov 17 08:51:19 2019 -0600
+++ b/roles/pleroma/templates/prod.secret.exs.j2	Sun Nov 17 09:33:48 2019 -0600
@@ -2,8 +2,14 @@
 
 config :pleroma, Pleroma.Web.Endpoint,
    url: [host: "{{pleroma_link_host}}", scheme: "{{pleroma_link_scheme}}", port: {{pleroma_link_port}}],
-   http: [port: {{pleroma_port}}],
-   secret_key_base: "{{pleroma_secret_key}}"
+   http: [port: {{pleroma_port}}, ip: {127, 0, 0, 1}],
+   secret_key_base: "{{pleroma_secret_key}}",
+   secure_cookie_flag: true,
+   http_security: true
+
+config :pleroma, :http_security,
+  sts: true,
+  referrer_policy: "same-origin"
 
 config :pleroma, :instance,
   name: "{{pleroma_instance_name}}",