search

bitmagnet-io / bitmagnet

A self-hosted BitTorrent indexer, DHT crawler, content classifier and torrent search engine with web UI, GraphQL API and Servarr stack integration.
https://bitmagnet.io/
MIT License
2.07k stars 80 forks source link

Add systemd service example #125

Open davispuh opened 5 months ago

davispuh commented 5 months ago

If you want to run it 24/7 as proper systemd service then it's useful to have .service. I tried to harden it as much as possible, only few things could be tweaked more like SystemCallFilter but this already should be good enough.

$ systemd-analyze security bitmagnet
[...]
ā†’ Overall exposure level for bitmagnet.service: 1.2 OK šŸ™‚ (lower number means most secure, 10 is most unsafe)

And here's bonus nginx config

upstream bitmagnet {
    server 127.0.0.1:3333;
}

server {
    listen 443 ssl;

    server_name bitmagnet.example.org;

    access_log  /var/log/nginx/bitmagnet.access.log;
    error_log   /var/log/nginx/bitmagnet.error.log;

    # Consider using some auth if you want allow non-local
    allow 127.0.0.0/8;
    allow ::1/128;
    deny all;

    ssl_certificate "/etc/letsencrypt/live/bitmagnet.example.org/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/bitmagnet.example.org/privkey.pem";
    ssl_trusted_certificate "/etc/letsencrypt/live/bitmagnet.example.org/chain.pem";

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=31536000" always;
    add_header X-Frame-Options "DENY";
    add_header X-Content-Type-Options "nosniff";
    add_header Content-Security-Policy "default-src 'self' https:; object-src 'none; frame-src 'none'; base-uri 'self'; img-src https: data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; connect-src https:; sandbox allow-same-origin allow-scripts allow-downloads; trusted-types; require-trusted-types-for 'script';

    location / {
        proxy_pass http://bitmagnet;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

}
mgdigital commented 4 months ago

Thanks for this @davispuh . I'm open to adding this, though might it be better in the form of a tutorial for the website? I'd want to do a bit of testing first, which will require some set-up work for me as I'm running through Docker. I will get round to this when I can unless someone can beat me to it and do an independent review of this....

davispuh commented 4 months ago

though might it be better in the form of a tutorial for the website?

It can be useful for both. For packaging use case only actual copyable file is usable since trying to extract it out doesn't seem good idea and then everyone would just have their own copies which wouldn't get updated hence copyable upstream file is better.

hardKOrr commented 4 months ago

I created a bitmagnet LXC and used this service file (updating user/group) and have been running successfully for a couple days.