summarylogtreecommitdiffstats
path: root/duckcloud.service
blob: 0d9b54edadd4772e1521bac130d2f6fe1ec11060 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# Example systemd configuration file for duckcloud. Copy into
#    /etc/systemd/system/, update the paths if necessary, then:
#
#    systemctl enable duckcloud
#    systemctl start duckcloud
#
# This assumes that Duckcloud has been installed by a user named
# duckcloud and the env variable "DATADIR" point to an existing
# folder owned by the user duckcloud.
#
# **NOTE:** This is an example service file that may change in the future. If you
# wish to use this please copy rather than symlink it.
#

[Unit]
Description=The Duckcloud backup server
After=network.target

[Service]
Type=notify
TimeoutSec=120
NotifyAccess=main
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
User=duckcloud
Group=duckcloud
SyslogIdentifier=duckcloud
LoadCredentialEncrypted=password:/etc/duckcloud/password.cred

# Specify where all the data is located by updating the path in
# both "ExecStart" and "ReadWritePaths"
#
# ExecStart one indicate to the server where it must put the data.
# ReadWritePaths give write permission to the folder. All the remaining
# filesystem is read-only.
ReadWritePaths=/usr/share/duckcloud
ExecStart=/usr/bin/duckcloud run --folder=/usr/share/duckcloud



# ######################
# ## Security Sandbox ##
# ######################

# Make sure that the service has its own unshared tmpfs at /tmp and that it
# cannot see or change any real devices
PrivateTmp=true
PrivateDevices=true

# We give no capabilities to a service by default
# CapabilityBoundingSet=
# AmbientCapabilities=

# # Protect the following from modification:
# # - The entire filesystem
# # - sysctl settings and loaded kernel modules
# # - No modifications allowed to Control Groups
# # - Hostname
# # - System Clock
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectHostname=true
ProtectClock=true


# Prevent access to the following:
# - /home directory
# - Kernel logs
ProtectHome=true
ProtectKernelLogs=true

# Make sure that the process can only see PIDs and process details of itself,
# and the second option disables seeing details of things like system load and
# I/O etc
ProtectProc=invisible
ProcSubset=pid

# While not needed, we set these options explicitly
# - This process has been given access to the host network
# - It can also communicate with any IP Address
PrivateNetwork=false
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
IPAddressAllow=any

# Restrict system calls to a sane bunch
SystemCallArchitectures=native

# Misc restrictions
RestrictSUIDSGID=true
RemoveIPC=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
PrivateUsers=true

[Install]
WantedBy=multi-user.target