blob: 65196cc404371aa735277239f76836ec54caf3d4 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
[Unit]
Description=Gosvc %i Web Service
After=nginx.service
[Service]
Type=simple
ExecStart=/var/www/gosvc/%i
EnvironmentFile=-/var/www/gosvc/%i.env
#Restart=?? What should we do to make this more robust?
StandardInput=socket
StandardOutput=journal
StandardError=journal
ProcSubset=pid
DynamicUser=true
#CapabilityBoundingSet=??
NoNewPrivileges=true
LimitNOFILE=1024
ProtectSystem=strict
ProtectHome=true
StateDirectory=gosvc-%i
StateDirectoryMode=0700
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET AF_INET6
LockPersonality=true
RestrictNamespaces=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
SystemCallFilter=@basic-io @file-system @io-event @ipc @network-io @process @signal @sync @timer mprotect madvise mremap brk copy_file_range fadvise64 fadvise64_64 flock getcpu getrandom readdir sched_yield sched_getaffinity sendfile sendfile64 splice tee umask sysinfo uname ioctl
|
