Introduction

Peertube is something I'm trying to learn and adapt to. I hate some of their UI/UX decisions; but since it's the leading and most mature ActivityPub-based Youtube alternative, I'm giving it a third try.

This guide demonstrates how to fix a bad default systemd security score. It presumes you already have a fully-functional Peertube instance deployed on a systemd system.

system-dee security

Use systemd's built in security audit tool:

sudo systemd-analyze security peertube.service

This is the default score I got which is not good:

→ Overall exposure level for peertube.service: 8.3 EXPOSED 🙁

Edit the service:

sudo systemctl edit peertube.service

Add these lines -- be sure to change the ReadWritePaths line:

[Service]
NoNewPrivileges=yes
UMask=007
LockPersonality=true
RestrictRealtime=yes
RemoveIPC=yes
RestrictSUIDSGID=yes
CapabilityBoundingSet=
AmbientCapabilities=
RestrictNamespaces=yes
SystemCallArchitectures=native
SystemCallFilter=~@mount @swap @reboot @raw-io @module @debug @obsolete @privileged @cpu-emulation @keyring
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectClock=true
ProtectHostname=true
ProcSubset=pid
ProtectProc=invisible
ReadWritePaths=/zfspool/peertube
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
LimitNOFILE=65536

Then:

sudo systemctl daemon-reload
sudo systemctl restart peertube
sudo systemctl status peertube --no-pager

Re-run the audit:

sudo systemd-analyze security peertube.service

→ Overall exposure level for peertube.service: 1.7 OK 🙂

Any score of 1.x is much better!