42 lines
856 B
SYSTEMD
42 lines
856 B
SYSTEMD
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
[Unit]
|
|
Description=EcoPyBot service
|
|
After=network-online.target
|
|
|
|
[Service]
|
|
Type=exec
|
|
User=ecopybot
|
|
Group=ecopybot
|
|
DynamicUser=yes
|
|
ExecStart=/usr/bin/python3 /usr/lib/ecopybot/ecopybot_headless.py
|
|
ExecReload=/bin/kill -INT $MAINPID
|
|
ExecStop=/bin/kill -INT $MAINPID
|
|
Restart=on-failure
|
|
|
|
###
|
|
# Hardening
|
|
###
|
|
MemoryDenyWriteExecute=true
|
|
LockPersonality=yes
|
|
ProtectHome=yes
|
|
ProtectHostname=yes
|
|
ProtectSystem=full
|
|
ProtectClock=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
ProtectControlGroups=yes
|
|
ProtectKernelLogs=yes
|
|
PrivateDevices=yes
|
|
PrivateUsers=yes
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
RestrictAddressFamilies=AF_INET AF_INET6
|
|
CapabilityBoundingSet=
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@resources @privileged
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|