12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 |
- [Unit]
- Description=mastodon-streaming
- After=network.target
- [Service]
- Type=simple
- User=mastodon
- WorkingDirectory=/home/mastodon/live
- Environment="NODE_ENV=production"
- Environment="PORT=4000"
- Environment="STREAMING_CLUSTER_NUM=1"
- ExecStart=/usr/bin/node ./streaming
- TimeoutSec=15
- Restart=always
- # Proc filesystem
- ProcSubset=pid
- ProtectProc=invisible
- # Capabilities
- CapabilityBoundingSet=
- # Security
- NoNewPrivileges=true
- # Sandboxing
- ProtectSystem=strict
- PrivateTmp=true
- PrivateDevices=true
- PrivateUsers=true
- ProtectHostname=true
- ProtectKernelLogs=true
- ProtectKernelModules=true
- ProtectKernelTunables=true
- ProtectControlGroups=true
- RestrictAddressFamilies=AF_INET
- RestrictAddressFamilies=AF_INET6
- RestrictAddressFamilies=AF_NETLINK
- RestrictAddressFamilies=AF_UNIX
- RestrictNamespaces=true
- LockPersonality=true
- RestrictRealtime=true
- RestrictSUIDSGID=true
- RemoveIPC=true
- PrivateMounts=true
- ProtectClock=true
- # System Call Filtering
- SystemCallArchitectures=native
- SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @memlock @mount @obsolete @privileged @resources @setuid
- SystemCallFilter=pipe
- SystemCallFilter=pipe2
- ReadWritePaths=/home/mastodon/live
- [Install]
- WantedBy=multi-user.target
|