snikket_ynh/conf/systemd.service

76 lines
1.8 KiB
SYSTEMD
Raw Permalink Normal View History

2024-05-18 15:16:58 +00:00
[Unit]
### see man systemd.unit
2024-05-24 23:35:07 +00:00
Description=Snikket XMPP Server
After=network.target remote-fs.target
Documentation=https://snikket.org/service/help/
2024-05-18 15:16:58 +00:00
[Service]
### See man systemd.service ###
# With this configuration, systemd takes care of daemonization
# so Prosody should be configured with daemonize = false
Type=simple
# Not sure if this is needed for 'simple'
2024-05-24 23:35:07 +00:00
RuntimeDirectory=snikket
# Load environment file used by Snikket
EnvironmentFile=/etc/snikket/environment
2024-05-18 15:16:58 +00:00
# Start by executing the main executable
2024-05-24 23:35:07 +00:00
ExecStart=/usr/local/bin/prosody
2024-05-18 15:16:58 +00:00
ExecReload=/bin/kill -HUP $MAINPID
# Restart on crashes
Restart=on-abnormal
# Set O_NONBLOCK flag on sockets passed via socket activation
NonBlocking=true
### See man systemd.exec ###
WorkingDirectory=__DATA_DIR__
User=__APP__
Group=__APP__
# Nice=0
# Set stdin to /dev/null since Prosody does not need it
StandardInput=null
# Direct stdout/-err to journald for use with log = "*stdout"
StandardOutput=journal
StandardError=inherit
# This usually defaults to 4k or so
# LimitNOFILE=1M
## Interesting protection methods
# Finding a useful combo of these settings would be nice
#
# Needs read access to /etc/prosody for config
# Needs write access to /var/lib/prosody for storing data (for internal storage)
# Needs write access to /var/log/prosody for writing logs (depending on config)
# Needs read access to code and libraries loaded
# ReadWriteDirectories=/var/lib/prosody /var/log/prosody
# InaccessibleDirectories=/boot /home /media /mnt /root /srv
# ReadOnlyDirectories=/usr /etc/prosody
# PrivateTmp=true
# PrivateDevices=true
# PrivateNetwork=false
# ProtectSystem=full
# ProtectHome=true
# ProtectKernelTunables=true
# ProtectControlGroups=true
# SystemCallFilter=
# This should break LuaJIT
# MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target