diff options
author | Kimiblock Moe | 2024-04-04 11:54:45 +0800 |
---|---|---|
committer | Kimiblock Moe | 2024-04-04 11:54:45 +0800 |
commit | 1f47cb7fc9fa00b41e80f9c4391459f53f7f41c9 (patch) | |
tree | 5cb388533ce5fb90020de23892cb2e9d115ca7e8 /matrix-media-repo.service | |
parent | 7ff237ba3382e9fe9b9d3b7896765c93afa87bcb (diff) | |
download | aur-matrix-media-repo.tar.gz |
Add systemd service
Diffstat (limited to 'matrix-media-repo.service')
-rwxr-xr-x | matrix-media-repo.service | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/matrix-media-repo.service b/matrix-media-repo.service new file mode 100755 index 000000000000..629017d53d9e --- /dev/null +++ b/matrix-media-repo.service @@ -0,0 +1,58 @@ +[Unit] +Description=Matrix Media Repo +RequiresMountsFor=/var/lib/private/matrix-media-repo +After=network.target + +[Service] +OOMPolicy=stop +OOMScoreAdjust=10 + +DynamicUser=yes +ExecStartPre=/usr/bin/cp "/etc/matrix-media-repo.yaml" "/var/lib/private/matrix-media-repo/config.yaml" +ExecStart=/usr/lib/matrix-media-repo/media_repo -config /var/lib/private/matrix-media-repo/config.yaml +Restart=always +StateDirectory=matrix-media-repo +WorkingDirectory=/var/lib/private/matrix-media-repo +#CPUQuota=35% +CPUWeight=80 +RestartSec=1s + +ProtectProc=invisible +PrivateUsers=yes +RestrictNamespaces=yes +UMask=077 + +SystemCallFilter=~@clock +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@debug +SystemCallFilter=~@module +#SystemCallFilter=~@mount +SystemCallFilter=~@obsolete +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@swap + +CapabilityBoundingSet= +AmbientCapabilities= + +ProtectSystem=strict +ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target |