1
0
dwelling-home/init/systemd.service

54 lines
1.2 KiB
SYSTEMD
Raw Permalink Normal View History

2023-01-16 05:24:07 +04:00
[Unit]
Description=Arav's dwelling / Home
After=network-online.target
[Service]
Type=simple
Restart=on-failure
DynamicUser=yes
2023-09-23 04:37:48 +04:00
ExecStart=/usr/bin/dwelling-home -listen /var/run/dwelling-home/sock \
-database-path /var/lib/dwelling-home -captcha-expiry 10m \
-guestbook-page-size 60
2023-01-16 05:24:07 +04:00
ReadOnlyPaths=/
RuntimeDirectory=dwelling-home
StateDirectory=dwelling-home
AmbientCapabilities=
CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
2023-09-23 04:37:48 +04:00
PrivateTmp=true
PrivateUsers=true
ProcSubset=pid
2023-01-16 05:24:07 +04:00
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
2023-09-23 04:37:48 +04:00
ProtectHostname=true
2023-01-16 05:24:07 +04:00
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
2023-09-23 04:37:48 +04:00
ProtectProc=noaccess
2023-01-16 05:24:07 +04:00
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
2023-09-23 04:37:48 +04:00
SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@privileged
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@swap
2023-01-16 05:24:07 +04:00
[Install]
WantedBy=multi-user.target