blob: 3bfbd2b1749840ed15a03c2b0304dd66bc64dfe6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
[Unit]
Description=Koito ListenBrainz Scrobbler
After=network.target network-online.target postgresql.service
Wants=network-online.target postgresql.service
[Install]
WantedBy=multi-user.target
[Service]
Type=simple
DynamicUser=yes
StateDirectory=koito
StateDirectoryMode=0755
WorkingDirectory=/usr/share/koito
EnvironmentFile=/etc/koito.env
ExecStart=/usr/bin/koito
Restart=on-failure
RestartSec=5
# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
CapabilityBoundingSet=
DevicePolicy=closed
NoNewPrivileges=yes
LockPersonality=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelLogs=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallArchitectures=native
UMask=0066
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=true
|