Update .service, use upstream config, fix HOME.

author: ml 2020-03-10 08:13:29 +0100
committer: ml 2020-03-13 05:10:40 +0100
commit: 6eb13edc93780a56ca10c594ab8174fd15a5df72 (patch)
tree: 04dd92bea9ed2832b66ba3b94b1d69673e661c20 /gotify-server.service
parent: 004120691f479cf1c0f2590f70b07161e56e5938 (diff)
download: aur-6eb13edc93780a56ca10c594ab8174fd15a5df72.tar.gz
1 files changed, 28 insertions, 0 deletions
diff --git a/gotify-server.service b/gotify-server.service
index 4e87bab05dc1..eaafa54f9ca1 100644
--- a/gotify-server.service
+++ b/gotify-server.service
@@ -7,6 +7,34 @@ Type=simple
 User=gotify
 Group=gotify
 ExecStart=/usr/bin/gotify-server
+WorkingDirectory=~
+ReadOnlyPaths=/etc/gotify/config.yml
+ReadWritePaths=/var/lib/gotify
+UMask=0077
+CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
 
 [Install]
 WantedBy=multi-user.target
author	ml	2020-03-10 08:13:29 +0100
committer	ml	2020-03-13 05:10:40 +0100
commit	6eb13edc93780a56ca10c594ab8174fd15a5df72 (patch)
tree	04dd92bea9ed2832b66ba3b94b1d69673e661c20 /gotify-server.service
parent	004120691f479cf1c0f2590f70b07161e56e5938 (diff)
download	aur-6eb13edc93780a56ca10c594ab8174fd15a5df72.tar.gz