blob: a74a65e1906a985964c9259f494200cdaaa9ec83 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
[Unit]
Description=Beszel Agent
Wants=network-online.target
After=network-online.target
[Service]
EnvironmentFile=-/etc/beszel-agent.conf
ExecSearchPath=/opt/rocm/bin:/usr/local/sbin:/usr/local/bin:/usr/bin
ExecStart=/opt/beszel-agent/beszel-agent
User=beszel
Group=beszel
Restart=on-failure
RestartSec=5
StateDirectory=beszel-agent
# hardening
KeyringMode=private
LockPersonality=yes
ProtectClock=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectSystem=strict
RemoveIPC=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
# required for smartctl & intel_gpu_top
AmbientCapabilities=CAP_SYS_RAWIO CAP_SYS_ADMIN CAP_PERFMON
CapabilityBoundingSet=CAP_SYS_RAWIO CAP_SYS_ADMIN CAP_PERFMON
[Install]
WantedBy=multi-user.target
|