miniflux/packaging/systemd/miniflux.service

93 lines
2.3 KiB
SYSTEMD
Raw Normal View History

# Changing the systemd config can be done like this:
# 1) Edit the config file: systemctl edit --full miniflux
# 2) Restart the process: systemctl restart miniflux
# All your changes can be reverted with `systemctl revert miniflux.service`.
# See https://wiki.archlinux.org/index.php/Systemd#Editing_provided_units.
# Also see https://www.freedesktop.org/software/systemd/man/systemd.service.html
# for available configuration options in this file.
[Unit]
2021-05-23 03:36:32 +02:00
Description=Miniflux
After=network.target postgresql.service
[Service]
ExecStart=/usr/bin/miniflux
User=miniflux
# Load environment variables from /etc/miniflux.conf.
EnvironmentFile=/etc/miniflux.conf
# Miniflux uses sd-notify protocol to notify about it's readiness.
2021-05-23 03:36:32 +02:00
Type=notify
# Enable watchdog.
2021-05-23 05:25:38 +02:00
WatchdogSec=60s
2021-05-23 03:36:32 +02:00
WatchdogSignal=SIGKILL
# Automatically restart Miniflux if it crashes.
2021-05-23 03:36:32 +02:00
Restart=always
RestartSec=5
# Allocate a directory at /run/miniflux for Unix sockets.
RuntimeDirectory=miniflux
# Allow Miniflux to bind to privileged ports.
AmbientCapabilities=CAP_NET_BIND_SERVICE
# Make the system tree read-only.
ProtectSystem=strict
# Allocate a separate /tmp.
PrivateTmp=yes
# Ensure the service can never gain new privileges.
NoNewPrivileges=yes
# Prohibit access to any kind of namespacing.
RestrictNamespaces=yes
# Make home directories inaccessible.
ProtectHome=yes
# Make device nodes except for /dev/null, /dev/zero, /dev/full,
# /dev/random and /dev/urandom inaccessible.
PrivateDevices=yes
# Make cgroup file system hierarchy inaccessible.
ProtectControlGroups=yes
# Deny kernel module loading.
ProtectKernelModules=yes
# Make kernel variables (e.g. /proc/sys) read-only.
ProtectKernelTunables=yes
# Deny hostname changing.
ProtectHostname=yes
# Deny realtime scheduling.
RestrictRealtime=yes
# Deny access to the kernel log ring buffer.
ProtectKernelLogs=yes
# Deny setting the hardware or system clock.
ProtectClock=yes
# Filter dangerous system calls. The following is listed as safe basic
# choice in systemd.exec(5).
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallErrorNumber=EPERM
# Deny kernel execution domain changing.
LockPersonality=yes
# Deny memory mappings that are writable and executable.
MemoryDenyWriteExecute=yes
[Install]
WantedBy=multi-user.target