systemd
cuprated
can be ran as a systemd
service, the below are commands to setup a relatively hardened deployment.
# Create the `cuprate` user
sudo useradd --system --shell /sbin/nologin --home-dir /home/cuprate cuprate
# Move `cuprated` and the config file
# into the appropriate location.
mv cuprated Cuprated.toml /home/cuprate/
# Move the service file to the appropriate location.
sudo mv cuprated.service /etc/systemd/system/
# Start the `cuprated` service.
sudo systemctl daemon-reload
sudo systemctl start cuprated
# (Optional) start `cuprated` upon boot.
sudo systemctl enable cuprated
A relatively hardened systemd
service file for cuprated
:
## cuprated.service
##
## This file is a relatively hardened systemd
## service for `cuprated`, it:
##
## - requires a `cuprate` user exists
## - restricts filesystem access to `/home/cuprate`
## - requires `/home/cuprate/cuprated`
## and `/home/cuprate/Cuprated.toml` exist
##
## For service file documentation, see:
## <https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html>
[Unit]
Description=Cuprate Monero Node
StartLimitIntervalSec=300
StartLimitBurst=5
[Service]
## User.
User=cuprate
Group=cuprate
Type=simple
## Max memory.
MemoryAccounting=yes
MemoryHigh=4G
MemoryMax=4G
## Start command.
ExecStart=/home/cuprate/cuprated --config-file /home/cuprate/Cuprated.toml
## Restart every 5s on failure.
KillSignal=SIGINT
Restart=on-failure
RestartSec=5s
## Open file limit.
LimitNOFILE=16384
## On exit, wait 1 minute before sending SIGKILL.
TimeoutStopSec=60s
SendSIGKILL=true
## Restrict filesystem access.
BindPaths=/home/cuprate
## Security hardening.
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
CapabilityBoundingSet=
DeviceAllow=
LockPersonality=true
NoNewPrivileges=true
ProcSubset=pid
RemoveIPC=true
SystemCallArchitectures=native
UMask=0077
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=read-only
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target