diff options
Diffstat (limited to 'microbin.service')
-rw-r--r-- | microbin.service | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/microbin.service b/microbin.service new file mode 100644 index 000000000000..b0a961ea4156 --- /dev/null +++ b/microbin.service @@ -0,0 +1,48 @@ +[Unit] +Description=A tiny, self-contained, configurable paste bin and URL shortener +Documentation=https://github.com/szabodanika/microbin +After=network.target + +[Service] +# hardening +ReadWritePaths="/var/lib/microbin/" +NoNewPrivileges=true +ProtectSystem=strict +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +PrivateDevices=true +DevicePolicy=closed +ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +ProtectHostname=true +PrivateTmp=true +ProtectClock=true +LockPersonality=true +RestrictNamespaces=true +RestrictRealtime=true +MemoryDenyWriteExecute=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged +ProtectHome=true +RemoveIPC=true +RestrictSUIDSGID=true +CapabilityBoundingSet=CAP_NET_BIND_SERVICE + +# enable for 1-1024 port listening +#AmbientCapabilities=CAP_NET_BIND_SERVICE +# enable to specify a higher limit for open files/connections +#LimitNOFILE=1000000 + +User=http +Group=http +StateDirectory=microbin +WorkingDirectory=/var/lib/microbin +EnvironmentFile=/etc/microbin.conf +ExecStart=microbin +Restart=on-failure +KillSignal=SIGINT + +[Install] +WantedBy=default.target |