Make mastodon-streaming systemd unit templated (#24751)
Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>local
parent
d2dbaba407
commit
11f5a8e54b
3 changed files with 66 additions and 43 deletions
@ -1,51 +1,12 @@ |
||||
[Unit] |
||||
Description=mastodon-streaming |
||||
After=network.target |
||||
Wants=mastodon-streaming@4000.service |
||||
|
||||
[Service] |
||||
Type=simple |
||||
User=mastodon |
||||
WorkingDirectory=/home/mastodon/live |
||||
Environment="NODE_ENV=production" |
||||
Environment="PORT=4000" |
||||
ExecStart=/usr/bin/node ./streaming |
||||
TimeoutSec=15 |
||||
Restart=always |
||||
LimitNOFILE=65536 |
||||
# Proc filesystem |
||||
ProcSubset=pid |
||||
ProtectProc=invisible |
||||
# Capabilities |
||||
CapabilityBoundingSet= |
||||
# Security |
||||
NoNewPrivileges=true |
||||
# Sandboxing |
||||
ProtectSystem=strict |
||||
PrivateTmp=true |
||||
PrivateDevices=true |
||||
PrivateUsers=true |
||||
ProtectHostname=true |
||||
ProtectKernelLogs=true |
||||
ProtectKernelModules=true |
||||
ProtectKernelTunables=true |
||||
ProtectControlGroups=true |
||||
RestrictAddressFamilies=AF_INET |
||||
RestrictAddressFamilies=AF_INET6 |
||||
RestrictAddressFamilies=AF_NETLINK |
||||
RestrictAddressFamilies=AF_UNIX |
||||
RestrictNamespaces=true |
||||
LockPersonality=true |
||||
RestrictRealtime=true |
||||
RestrictSUIDSGID=true |
||||
RemoveIPC=true |
||||
PrivateMounts=true |
||||
ProtectClock=true |
||||
# System Call Filtering |
||||
SystemCallArchitectures=native |
||||
SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @memlock @mount @obsolete @privileged @resources @setuid |
||||
SystemCallFilter=pipe |
||||
SystemCallFilter=pipe2 |
||||
ReadWritePaths=/home/mastodon/live |
||||
Type=oneshot |
||||
ExecStart=/bin/echo "mastodon-streaming exists only to collectively start and stop mastodon-streaming@ instances, shimming over the migration to templated mastodon-streaming systemd unit" |
||||
RemainAfterExit=yes |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target |
||||
|
@ -0,0 +1,54 @@ |
||||
[Unit] |
||||
Description=mastodon-streaming on port %I |
||||
After=network.target |
||||
# handles using `systemctl restart mastodon-streaming` |
||||
PartOf=mastodon-streaming.service |
||||
ReloadPropagatedFrom=mastodon-streaming.service |
||||
|
||||
[Service] |
||||
Type=simple |
||||
User=mastodon |
||||
WorkingDirectory=/home/mastodon/live |
||||
Environment="NODE_ENV=production" |
||||
Environment="PORT=%i" |
||||
ExecStart=/usr/bin/node ./streaming |
||||
TimeoutSec=15 |
||||
Restart=always |
||||
LimitNOFILE=65536 |
||||
# Proc filesystem |
||||
ProcSubset=pid |
||||
ProtectProc=invisible |
||||
# Capabilities |
||||
CapabilityBoundingSet= |
||||
# Security |
||||
NoNewPrivileges=true |
||||
# Sandboxing |
||||
ProtectSystem=strict |
||||
PrivateTmp=true |
||||
PrivateDevices=true |
||||
PrivateUsers=true |
||||
ProtectHostname=true |
||||
ProtectKernelLogs=true |
||||
ProtectKernelModules=true |
||||
ProtectKernelTunables=true |
||||
ProtectControlGroups=true |
||||
RestrictAddressFamilies=AF_INET |
||||
RestrictAddressFamilies=AF_INET6 |
||||
RestrictAddressFamilies=AF_NETLINK |
||||
RestrictAddressFamilies=AF_UNIX |
||||
RestrictNamespaces=true |
||||
LockPersonality=true |
||||
RestrictRealtime=true |
||||
RestrictSUIDSGID=true |
||||
RemoveIPC=true |
||||
PrivateMounts=true |
||||
ProtectClock=true |
||||
# System Call Filtering |
||||
SystemCallArchitectures=native |
||||
SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @memlock @mount @obsolete @privileged @resources @setuid |
||||
SystemCallFilter=pipe |
||||
SystemCallFilter=pipe2 |
||||
ReadWritePaths=/home/mastodon/live |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target mastodon-streaming.service |
Loading…
Reference in new issue