ci: 💚 Fix CI docs

ci: 💚 Add detect-circular as dependency for docker build
feat: 🔒 Harden Systemd unit config
2025-12-06 16:38:19 +01:00 · 2025-08-22 20:46:38 +02:00 · 2025-08-22 20:45:11 +02:00 · 2025-08-22 20:44:26 +02:00
3 changed files with 25 additions and 3 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -23,7 +23,7 @@ jobs:

    build:
        if: ${{ success() }}
-        needs: [lint, check, tests]
+        needs: [lint, check, tests, detect-circular]
        runs-on: ubuntu-latest
        permissions:
            contents: read
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@ -35,12 +35,12 @@ jobs:
              run: bun install

            - name: Build with VitePress
-              run: bun run docs:build
+              run: bun run --filter="@versia-server/api" docs:build

            - name: Upload artifact
              uses: actions/upload-pages-artifact@v3
              with:
-                  path: docs/.vitepress/dist
+                  path: packages/api/docs/.vitepress/dist

    # Deployment job
    deploy:
--- a/nix/module.nix
+++ b/nix/module.nix
@ -123,6 +123,28 @@ in {
            StandardError = "journal";
            SyslogIdentifier = "${name}";

+            # Hardening
+            CapabilityBoundingSet = [""];
+            LockPersonality = true;
+            PrivateMounts = true;
+            PrivateTmp = true;
+            ProcSubset = "pid";
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            ProtectHome = true;
+            ProtectHostname = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectProc = "invisible";
+            ProtectSystem = "strict";
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallArchitectures = "native";
+            RemoveIPC = true;
+            NoNewPrivileges = true;
+
            Environment = [
              "CONFIG_LOCATION=${configFile}"
            ];
Author	SHA1	Message	Date
Jesse Wierzbinski	0d53436f7e	ci: 💚 Fix CI docs Some checks failed CodeQL Scan / Analyze (javascript-typescript) (push) Failing after 1s Details Build Docker Images / lint (push) Failing after 8s Details Build Docker Images / check (push) Failing after 8s Details Build Docker Images / tests (push) Failing after 8s Details Build Docker Images / detect-circular (push) Failing after 8s Details Build Docker Images / build (server, Dockerfile, ${{ github.repository_owner }}/server) (push) Has been skipped Details Deploy Docs to GitHub Pages / build (push) Failing after 1s Details Build Docker Images / build (worker, Worker.Dockerfile, ${{ github.repository_owner }}/worker) (push) Has been skipped Details Deploy Docs to GitHub Pages / Deploy (push) Has been skipped Details Mirror to Codeberg / Mirror (push) Failing after 1s Details Nix Build / check (push) Failing after 1s Details Test Publish / build (client) (push) Failing after 1s Details Test Publish / build (sdk) (push) Failing after 1s Details	2025-08-22 20:46:38 +02:00
Jesse Wierzbinski	d8f9f47814	ci: 💚 Add detect-circular as dependency for docker build	2025-08-22 20:45:11 +02:00
Jesse Wierzbinski	b46f7828a5	feat: 🔒 Harden Systemd unit config	2025-08-22 20:44:26 +02:00