diff options
| author | George Rawlinson | 2021-05-19 01:58:28 +0000 |
|---|---|---|
| committer | George Rawlinson | 2021-05-19 01:58:28 +0000 |
| commit | 5c9dc5fdf8ef8f744e0af7d4ca165219461495fa (patch) | |
| tree | 768f7ba415e1c4dd537e2465b9ff343f66d0fb13 /systemd.service | |
| parent | e2961549d4e954d3e8cd4c2766042e68feaf37fb (diff) | |
| download | aur-5c9dc5fdf8ef8f744e0af7d4ca165219461495fa.tar.gz | |
upgpkg: homebridge-config-ui-x 4.41.1-2
* Fixed incorrect license.
* Removed unnecessary dependencies.
* Removed environment file in favour of environment variables in the
systemd service file.
* Added an install file with post_{install,upgrade} functions.
* Hardened systemd service.
* Removed login shell for homebridge user account.
Diffstat (limited to 'systemd.service')
| -rw-r--r-- | systemd.service | 45 |
1 files changed, 35 insertions, 10 deletions
diff --git a/systemd.service b/systemd.service index fa825398b043..fbc436116079 100644 --- a/systemd.service +++ b/systemd.service @@ -1,21 +1,46 @@ [Unit] Description=Homebridge -Wants=network-online.target +Requires=network-online.target After=syslog.target network-online.target [Service] -Type=simple +Environment=HOMEBRIDGE_OPTS="-I -U /var/lib/homebridge" +Environment=UIX_STORAGE_PATH="/var/lib/homebridge" +ExecStart=/usr/bin/hb-service run $HOMEBRIDGE_OPTS User=homebridge Group=homebridge -PermissionsStartOnly=true -WorkingDirectory=/var/lib/homebridge -EnvironmentFile=/etc/conf.d/homebridge -ExecStart=/usr/bin/hb-service run $HOMEBRIDGE_OPTS Restart=always -RestartSec=3 -KillMode=process -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_SYS_ADMIN -AmbientCapabilities=CAP_NET_RAW CAP_NET_BIND_SERVICE +RestartSec=5s +WorkingDirectory=/var/lib/homebridge +ReadWritePaths=/var/lib/homebridge +NoNewPrivileges=yes +UMask=0077 + +ProtectSystem=strict +ProtectHome=yes +PrivateUsers=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateMounts=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictNamespaces=yes +#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # causes status=1/FAILURE +LockPersonality=yes +#MemoryDenyWriteExecute=yes # causes issues with V8 +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +CapabilityBoundingSet= +AmbientCapabilities= + +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallArchitectures=native [Install] WantedBy=multi-user.target |