blob: 1257000860783ffc75545f0c7171475c826b2554 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
[Unit]
Description=thelounge - Modern, responsive, cross-platform, self-hosted web IRC client
Documentation=https://thelounge.chat/docs
After=network-online.target
Wants=network-online.target
[Service]
Environment=THELOUNGE_HOME=/var/lib/%N
ExecStart=/usr/bin/%N start
WorkingDirectory=/var/lib/%N
User=%N
Group=%N
UMask=0027
# Sandboxing and hardening systemd.exec(5)
PrivateUsers=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictNamespaces=yes
LockPersonality=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
RestrictRealtime=yes
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
NoNewPrivileges=true
# set entire file system to read only except following ReadWritePaths
ProtectSystem=strict
ReadWritePaths=/var/lib/%N
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
[Install]
WantedBy=multi-user.target
|
GitWeb
