1 files changed, 58 insertions, 0 deletions

diff --git a/matrix-media-repo.service b/matrix-media-repo.service
new file mode 100755
index 000000000000..629017d53d9e
--- /dev/null
+++ b/matrix-media-repo.service
@@ -0,0 +1,58 @@
+[Unit]
+Description=Matrix Media Repo
+RequiresMountsFor=/var/lib/private/matrix-media-repo
+After=network.target
+
+[Service]
+OOMPolicy=stop
+OOMScoreAdjust=10
+
+DynamicUser=yes
+ExecStartPre=/usr/bin/cp "/etc/matrix-media-repo.yaml" "/var/lib/private/matrix-media-repo/config.yaml"
+ExecStart=/usr/lib/matrix-media-repo/media_repo -config /var/lib/private/matrix-media-repo/config.yaml
+Restart=always
+StateDirectory=matrix-media-repo
+WorkingDirectory=/var/lib/private/matrix-media-repo
+#CPUQuota=35%
+CPUWeight=80
+RestartSec=1s
+
+ProtectProc=invisible
+PrivateUsers=yes
+RestrictNamespaces=yes
+UMask=077
+
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+#SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@swap
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target