blob: a9e0eea9c3c0493159c98321e750db58b97281ac (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
[Unit]
Description=Crowdsec Traefik Bouncer
After=network-online.target
AssertFileIsExecutable=/usr/bin/crowdsec-traefik-bouncer
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
# configure service behavior
Type=simple
ExecStart=/usr/bin/crowdsec-traefik-bouncer
Restart=always
WatchdogSec=1s
EnvironmentFile=/etc/default/crowdsec-traefik-bouncer
# lock down system access
# prohibit any operating system and configuration modification
ProtectSystem=strict
# create separate, new (and empty) /tmp and /var/tmp filesystems
PrivateTmp=true
# make /home directories inaccessible
ProtectHome=true
# turns off access to physical devices (/dev/...)
PrivateDevices=true
# make kernel settings (procfs and sysfs) read-only
ProtectKernelTunables=true
# make cgroups /sys/fs/cgroup read-only
ProtectControlGroups=true
# limit number of processes in this unit
#LimitNPROC=1
[Install]
WantedBy=multi-user.target
|