add qrbill.service systemd service file
This commit is contained in:
Michael Stapelberg
45
systemd/qrbill.service
Normal file
45
systemd/qrbill.service
Normal file
@@ -0,0 +1,45 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=qrbill
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=/usr/local/bin/qrbill-api
|
||||||
|
|
||||||
|
# See also http://0pointer.net/blog/dynamic-users-with-systemd.html
|
||||||
|
DynamicUser=yes
|
||||||
|
|
||||||
|
# Remove all capabilities(7), this is a stateless web server:
|
||||||
|
CapabilityBoundingSet=
|
||||||
|
|
||||||
|
# Ensure the service can never gain new privileges:
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
|
||||||
|
# Prohibit access to any kind of namespacing:
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
|
||||||
|
# Make home directories inaccessible:
|
||||||
|
ProtectHome=true
|
||||||
|
|
||||||
|
# Make device nodes except for /dev/null, /dev/zero, /dev/full,
|
||||||
|
# /dev/random and /dev/urandom inaccessible:
|
||||||
|
PrivateDevices=yes
|
||||||
|
|
||||||
|
# Make users other than root and the user for this daemon inaccessible:
|
||||||
|
PrivateUsers=yes
|
||||||
|
|
||||||
|
# Make cgroup file system hierarchy inaccessible:
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
|
||||||
|
# Deny kernel module loading:
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
|
||||||
|
# Make kernel variables (e.g. /proc/sys) read-only:
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
|
||||||
|
# Filter dangerous system calls. The following is listed as safe basic choice
|
||||||
|
# in systemd.exec(5):
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
SystemCallFilter=@system-service
|
||||||
|
SystemCallErrorNumber=EPERM
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
Reference in New Issue
Block a user