diff options
| author | Thor77 | 2021-04-03 18:58:09 +0200 |
|---|---|---|
| committer | Thor77 | 2021-04-03 18:58:09 +0200 |
| commit | f20f4ffcd06236901218eb68760cf6929a4e0d45 (patch) | |
| tree | e2517ed502d59a04ee05f978ab8da82270a4159d | |
| parent | d8beb061db17cca2fbc4eaf191adc54134b12005 (diff) | |
| download | aur-f20f4ffcd062.tar.gz | |
Merge systemd unit changes from upstream
thanks for the hint to aur/somini
| -rw-r--r-- | miniflux.service | 39 |
1 files changed, 38 insertions, 1 deletions
diff --git a/miniflux.service b/miniflux.service index 8e7ea982099d..8248be7c5bd3 100644 --- a/miniflux.service +++ b/miniflux.service @@ -4,11 +4,48 @@ Wants=network-online.target postgresql.service After=network-online.target postgresql.service [Service] -Type=simple +Type=notify EnvironmentFile=/etc/miniflux.conf User=miniflux ExecStart=/usr/bin/miniflux Restart=always +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#NoNewPrivileges= +NoNewPrivileges=true + +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices= +PrivateDevices=true + +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectControlGroups= +ProtectControlGroups=true + +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome= +ProtectHome=true + +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules= +ProtectKernelModules=true + +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables= +ProtectKernelTunables=true + +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem= +ProtectSystem=strict + +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictRealtime= +RestrictRealtime=true + +# Keep at least the /run folder writeable if Miniflux is configured to use a Unix socket. +# For example, the socket could be LISTEN_ADDR=/run/miniflux/miniflux.sock +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths= +ReadWritePaths=/run + +# Allow miniflux to bind to <1024 ports +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#AmbientCapabilities= +AmbientCapabilities=CAP_NET_BIND_SERVICE + +# Provide a private /tmp +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp= +PrivateTmp=true + [Install] WantedBy=multi-user.target |