blob: d10862db1983469dd50113ff4caba917dd49fea2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
[Unit]
Description=Agate Gemini Server
After=network.target
[Service]
Type=simple
EnvironmentFile=/etc/conf.d/agate
ExecStart=/usr/bin/agate --hostname $AGATE_HOSTNAME --content $AGATE_CONTENT --certs /var/lib/agate/certs/
User=agate
Group=agate
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
ReadWritePaths=/var/lib/agate/certs/
ProtectHome=read-only
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
[Install]
WantedBy=multi-user.target
|