archy/image-recipe/configs/archipelago.service
Dorian 934d120243 fix: restore container scanning — relax systemd sandbox for podman
The security hardening (NoNewPrivileges, RestrictAddressFamilies,
MemoryDenyWriteExecute, RestrictRealtime, ProtectSystem=strict) all
blocked podman container management via sudo. These are temporarily
disabled until TASK-11 (rootless podman migration) is complete.

Remaining active protections: ProtectSystem=true (/usr, /boot),
ProtectHome=yes, PrivateTmp=yes, PrivateDevices=no (mesh radio).

Also adds TASK-11 to MASTER_PLAN.md for tracking the rootless podman
migration that will allow re-enabling full security hardening.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 12:06:35 +00:00

41 lines
1.3 KiB
Desktop File

[Unit]
Description=Archipelago Backend
After=network-online.target archipelago-setup-tor.service
Wants=network-online.target
[Service]
Type=notify
User=archipelago
Environment="ARCHIPELAGO_BIND=0.0.0.0:5678"
Environment="ARCHIPELAGO_DEV_MODE=true"
ExecStartPre=/bin/bash -c 'mkdir -p /var/lib/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /var/lib/archipelago/host-ip.env'
ExecStart=/usr/local/bin/archipelago
Restart=on-failure
RestartSec=5
WatchdogSec=300
TimeoutStartSec=300
# Filesystem protection
# ProtectSystem=true protects /usr and /boot only.
# Cannot use =full or =strict because podman needs write to /etc/containers.
ProtectSystem=true
ProtectHome=yes
PrivateTmp=yes
# Privilege restriction
# NOTE: NoNewPrivileges, RestrictAddressFamilies, MemoryDenyWriteExecute, and
# RestrictRealtime are disabled because they all implicitly set the kernel
# no_new_privs flag, which blocks sudo — required for podman container management.
# TODO(TASK-11): Migrate to rootless podman, then re-enable all of these.
PrivateDevices=no
SupplementaryGroups=dialout
# Filesystem protection remains active (ProtectSystem, ProtectHome, PrivateTmp above)
# Logging
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target