chore: Debian 12 → 13 (Trixie) migration, service hardening
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 12m25s

- Update all references from Debian 12 (Bookworm) to Debian 13 (Trixie)
- Enable SystemCallArchitectures, RestrictAddressFamilies, RestrictRealtime
  in archipelago.service (safe on systemd 256+ which respects NoNewPrivileges=no)
- Update GLIBC compatibility checks from 2.36 to 2.40
- ISO filename, build container, and docs updated throughout

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-04-09 21:32:08 +02:00
parent fe3c844fe6
commit a0a7aadcb3
19 changed files with 41 additions and 43 deletions

View File

@@ -34,12 +34,11 @@ NoNewPrivileges=no
PrivateDevices=no
SupplementaryGroups=dialout debian-tor
# Network, syscall, and realtime restrictions DISABLED on Debian 12:
# RestrictAddressFamilies, SystemCallArchitectures, and RestrictRealtime all use
# seccomp filters that force no_new_privs=1 in the kernel (systemd 252).
# This blocks sudo, which is required for archipelago-wg (WireGuard peer management).
# Debian 13+ (systemd 256) respects NoNewPrivileges=no as an override, but Debian 12 does not.
# Re-enable these when dropping Debian 12 support.
# Syscall and network restrictions — safe on Debian 13 (systemd 256+)
# which respects NoNewPrivileges=no as an explicit override for seccomp filters
SystemCallArchitectures=native
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictRealtime=yes
# MemoryDenyWriteExecute removed: ring (rustls) and secp256k1 (bitcoin/nostr)
# use assembly code that requires executable memory mappings on some platforms