add qrbill.service systemd service file

systemd/qrbill.service

@@ -0,0 +1,45 @@
+[Unit]
+Description=qrbill
+
+[Service]
+ExecStart=/usr/local/bin/qrbill-api
+
+# See also http://0pointer.net/blog/dynamic-users-with-systemd.html
+DynamicUser=yes
+
+# Remove all capabilities(7), this is a stateless web server:
+CapabilityBoundingSet=
+
+# Ensure the service can never gain new privileges:
+NoNewPrivileges=yes
+
+# Prohibit access to any kind of namespacing:
+RestrictNamespaces=yes
+
+# Make home directories inaccessible:
+ProtectHome=true
+
+# Make device nodes except for /dev/null, /dev/zero, /dev/full,
+# /dev/random and /dev/urandom inaccessible:
+PrivateDevices=yes
+
+# Make users other than root and the user for this daemon inaccessible:
+PrivateUsers=yes
+
+# Make cgroup file system hierarchy inaccessible:
+ProtectControlGroups=yes
+
+# Deny kernel module loading:
+ProtectKernelModules=yes
+
+# Make kernel variables (e.g. /proc/sys) read-only:
+ProtectKernelTunables=yes
+
+# Filter dangerous system calls. The following is listed as safe basic choice
+# in systemd.exec(5):
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+[Install]
+WantedBy=multi-user.target