92 lines
2.3 KiB
Desktop File
92 lines
2.3 KiB
Desktop File
# Changing the systemd config can be done like this:
|
|
# 1) Edit the config file: systemctl edit --full miniflux
|
|
# 2) Restart the process: systemctl restart miniflux
|
|
# All your changes can be reverted with `systemctl revert miniflux.service`.
|
|
# See https://wiki.archlinux.org/index.php/Systemd#Editing_provided_units.
|
|
# Also see https://www.freedesktop.org/software/systemd/man/systemd.service.html
|
|
# for available configuration options in this file.
|
|
|
|
[Unit]
|
|
Description=Miniflux
|
|
After=network.target postgresql.service
|
|
|
|
[Service]
|
|
ExecStart=/usr/bin/miniflux
|
|
User=miniflux
|
|
|
|
# Load environment variables from /etc/miniflux.conf.
|
|
EnvironmentFile=/etc/miniflux.conf
|
|
|
|
# Miniflux uses sd-notify protocol to notify about it's readiness.
|
|
Type=notify
|
|
|
|
# Enable watchdog.
|
|
WatchdogSec=60s
|
|
WatchdogSignal=SIGKILL
|
|
|
|
# Automatically restart Miniflux if it crashes.
|
|
Restart=always
|
|
RestartSec=5
|
|
|
|
# Allocate a directory at /run/miniflux for Unix sockets.
|
|
RuntimeDirectory=miniflux
|
|
|
|
# Allow Miniflux to bind to privileged ports.
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
|
|
# Make the system tree read-only.
|
|
ProtectSystem=strict
|
|
|
|
# Allocate a separate /tmp.
|
|
PrivateTmp=yes
|
|
|
|
# Ensure the service can never gain new privileges.
|
|
NoNewPrivileges=yes
|
|
|
|
# Prohibit access to any kind of namespacing.
|
|
RestrictNamespaces=yes
|
|
|
|
# Make home directories inaccessible.
|
|
ProtectHome=yes
|
|
|
|
# Make device nodes except for /dev/null, /dev/zero, /dev/full,
|
|
# /dev/random and /dev/urandom inaccessible.
|
|
PrivateDevices=yes
|
|
|
|
# Make cgroup file system hierarchy inaccessible.
|
|
ProtectControlGroups=yes
|
|
|
|
# Deny kernel module loading.
|
|
ProtectKernelModules=yes
|
|
|
|
# Make kernel variables (e.g. /proc/sys) read-only.
|
|
ProtectKernelTunables=yes
|
|
|
|
# Deny hostname changing.
|
|
ProtectHostname=yes
|
|
|
|
# Deny realtime scheduling.
|
|
RestrictRealtime=yes
|
|
|
|
# Deny access to the kernel log ring buffer.
|
|
ProtectKernelLogs=yes
|
|
|
|
# Deny setting the hardware or system clock.
|
|
ProtectClock=yes
|
|
|
|
# Filter dangerous system calls. The following is listed as safe basic
|
|
# choice in systemd.exec(5).
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@privileged
|
|
SystemCallFilter=~@resources
|
|
SystemCallErrorNumber=EPERM
|
|
|
|
# Deny kernel execution domain changing.
|
|
LockPersonality=yes
|
|
|
|
# Deny memory mappings that are writable and executable.
|
|
MemoryDenyWriteExecute=yes
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|