chore: Debian 12 → 13 (Trixie) migration, service hardening
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 12m25s
All checks were successful
Build Archipelago ISO (dev) / build-iso (push) Successful in 12m25s
- Update all references from Debian 12 (Bookworm) to Debian 13 (Trixie) - Enable SystemCallArchitectures, RestrictAddressFamilies, RestrictRealtime in archipelago.service (safe on systemd 256+ which respects NoNewPrivileges=no) - Update GLIBC compatibility checks from 2.36 to 2.40 - ISO filename, build container, and docs updated throughout Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -34,12 +34,11 @@ NoNewPrivileges=no
|
||||
PrivateDevices=no
|
||||
SupplementaryGroups=dialout debian-tor
|
||||
|
||||
# Network, syscall, and realtime restrictions DISABLED on Debian 12:
|
||||
# RestrictAddressFamilies, SystemCallArchitectures, and RestrictRealtime all use
|
||||
# seccomp filters that force no_new_privs=1 in the kernel (systemd 252).
|
||||
# This blocks sudo, which is required for archipelago-wg (WireGuard peer management).
|
||||
# Debian 13+ (systemd 256) respects NoNewPrivileges=no as an override, but Debian 12 does not.
|
||||
# Re-enable these when dropping Debian 12 support.
|
||||
# Syscall and network restrictions — safe on Debian 13 (systemd 256+)
|
||||
# which respects NoNewPrivileges=no as an explicit override for seccomp filters
|
||||
SystemCallArchitectures=native
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
RestrictRealtime=yes
|
||||
|
||||
# MemoryDenyWriteExecute removed: ring (rustls) and secp256k1 (bitcoin/nostr)
|
||||
# use assembly code that requires executable memory mappings on some platforms
|
||||
|
||||
Reference in New Issue
Block a user