@@ -0,0 +1,69 @@
|
||||
[Unit]
|
||||
Description=eaglecast mailing list and newsletter manager (%I)
|
||||
ConditionPathExists=/etc/eaglecast/%i.toml
|
||||
Wants=network.target
|
||||
# The PostgreSQL database may not be on the same host but if it
|
||||
# is eaglecast should wait for it to start up.
|
||||
After=postgresql.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
EnvironmentFile=-/etc/default/eaglecast
|
||||
EnvironmentFile=-/etc/default/eaglecast-%i
|
||||
ExecStartPre=/usr/bin/mkdir -p "${HOME}/uploads"
|
||||
ExecStartPre=/usr/bin/eaglecast --config /etc/eaglecast/%i.toml --upgrade --yes
|
||||
ExecStart=/usr/bin/eaglecast --config /etc/eaglecast/%i.toml $SYSTEMD_EAGLECAST_ARGS
|
||||
Restart=on-failure
|
||||
|
||||
# Create dynamic users for eaglecast service instances
|
||||
# but create a state directory for uploads in /var/lib/private/%i.
|
||||
DynamicUser=True
|
||||
StateDirectory=eaglecast-%i
|
||||
Environment=HOME=%S/eaglecast-%i
|
||||
WorkingDirectory=%S/eaglecast-%i
|
||||
|
||||
# Use systemd’s ability to disable security-sensitive features
|
||||
# that eaglecast does not explicitly need.
|
||||
# NoNewPrivileges should be enabled by DynamicUser=yes but systemd-analyze
|
||||
# still recommended to explicitly enable it.
|
||||
NoNewPrivileges=True
|
||||
# eaglecast doesn’t need any capabilities as defined by the linux kernel
|
||||
# see: https://man7.org/linux/man-pages/man7/capabilities.7.html
|
||||
CapabilityBoundingSet=
|
||||
# eaglecast only executes native code with no need for any other ABIs.
|
||||
SystemCallArchitectures=native
|
||||
# Only enable a reasonable set of system calls.
|
||||
# see: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallFilter=~@privileged
|
||||
# ProtectSystem=strict, which is implied by DynamicUser=True, already disabled write calls
|
||||
# to the entire filesystem hierarchy, leaving only /dev/, /proc/, and /sys/ writable.
|
||||
# eaglecast doesn’t need access to those so might as well disable them.
|
||||
PrivateDevices=True
|
||||
ProtectControlGroups=True
|
||||
ProtectKernelTunables=True
|
||||
# Make /home/, /root/, and /run/user/ inaccessible.
|
||||
ProtectHome=True
|
||||
# eaglecast doesn’t handle any specific device nodes.
|
||||
DeviceAllow=False
|
||||
# eaglecast doesn’t make use of linux namespaces.
|
||||
RestrictNamespaces=True
|
||||
# eaglecast doesn’t need realtime scheduling.
|
||||
RestrictRealtime=True
|
||||
# Make sure files created by eaglecast are only readable by itself and
|
||||
# others in the eaglecast system group.
|
||||
UMask=0027
|
||||
# Disable memory mappings that are both writable and executable.
|
||||
MemoryDenyWriteExecute=True
|
||||
# eaglecast doesn’t make use of linux personality switching.
|
||||
LockPersonality=True
|
||||
# eaglecast only needs to support the IPv4 and IPv6 address families.
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
# eaglecast doesn’t need to load any linux kernel modules.
|
||||
ProtectKernelModules=True
|
||||
# Create a sandboxed environment where the system users are mapped to a
|
||||
# service-specific linux kernel namespace.
|
||||
PrivateUsers=True
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user