More docs

2024-12-04 23:55:11 -08:00 · 2024-12-04 23:55:11 -08:00 · fc2361614e
commit fc2361614e
parent 23ceeffcfa
2 changed files with 26 additions and 3 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -30,5 +30,8 @@ strip = "symbols"
 lto = "thin"
 codegen-units = 1

+[package.metadata.deb]
+name = "cloudflare-ddns-rs"
+
 [package.metadata.deb.systemd-units]
 unit-scripts = "systemd/"
--- a/README.md
+++ b/README.md
@ -29,8 +29,15 @@ different IP address.

 ## Installation

-First, create an initial file at `/etc/cloudflare-ddns.toml`. Populate it with
-the following:
+First, create an initial file at `/etc/cloudflare-ddns.toml`. Set the permissions
+so that it is readable and writable by `root` only:
+
+```
+# sudo touch /etc/cloudflare-ddns.toml
+# chmod 600 /etc/cloudflare-ddns.toml
+```
+
+Populate it with the following:

 ```toml
 [account]
@ -129,3 +136,16 @@ successful, installation is complete.
 A `.deb` package is created via [`cargo-deb`].

 [`cargo-deb`]: https://github.com/kornelski/cargo-deb
+
+## Security
+
+This project attempts to take security seriously. Please note the following
+hardening notes applied by default.
+
+### Hardened `systemd` service configuration
+
+In principle, this service needs very little access to a host, and needs access
+to the internet. As a result, the default `systemd` service configuration
+aggressively restricts the capabilities of the binary to a minimum set of
+features, namely access to the internet and dependency to do so. If you believe
+more directives could be provided, please create a PR.