From c9cd171d6f00151b93fea816194206721a78cf65 Mon Sep 17 00:00:00 2001
From: Michael Stapelberg <stapelberg@google.com>
Date: Mon, 20 May 2024 10:55:45 +0200
Subject: [PATCH] add qrbill.service systemd service file

---
 systemd/qrbill.service | 45 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 systemd/qrbill.service

diff --git a/systemd/qrbill.service b/systemd/qrbill.service
new file mode 100644
index 0000000..fc6d49a
--- /dev/null
+++ b/systemd/qrbill.service
@@ -0,0 +1,45 @@
+[Unit]
+Description=qrbill
+
+[Service]
+ExecStart=/usr/local/bin/qrbill-api
+
+# See also http://0pointer.net/blog/dynamic-users-with-systemd.html
+DynamicUser=yes
+
+# Remove all capabilities(7), this is a stateless web server:
+CapabilityBoundingSet=
+
+# Ensure the service can never gain new privileges:
+NoNewPrivileges=yes
+
+# Prohibit access to any kind of namespacing:
+RestrictNamespaces=yes
+
+# Make home directories inaccessible:
+ProtectHome=true
+
+# Make device nodes except for /dev/null, /dev/zero, /dev/full,
+# /dev/random and /dev/urandom inaccessible:
+PrivateDevices=yes
+
+# Make users other than root and the user for this daemon inaccessible:
+PrivateUsers=yes
+
+# Make cgroup file system hierarchy inaccessible:
+ProtectControlGroups=yes
+
+# Deny kernel module loading:
+ProtectKernelModules=yes
+
+# Make kernel variables (e.g. /proc/sys) read-only:
+ProtectKernelTunables=yes
+
+# Filter dangerous system calls. The following is listed as safe basic choice
+# in systemd.exec(5):
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+[Install]
+WantedBy=multi-user.target