Make mastodon-streaming systemd unit templated (#24751)
Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>local
parent
d2dbaba407
commit
11f5a8e54b
3 changed files with 66 additions and 43 deletions
@ -1,51 +1,12 @@ |
|||||||
[Unit] |
[Unit] |
||||||
Description=mastodon-streaming |
Description=mastodon-streaming |
||||||
After=network.target |
After=network.target |
||||||
|
Wants=mastodon-streaming@4000.service |
||||||
|
|
||||||
[Service] |
[Service] |
||||||
Type=simple |
Type=oneshot |
||||||
User=mastodon |
ExecStart=/bin/echo "mastodon-streaming exists only to collectively start and stop mastodon-streaming@ instances, shimming over the migration to templated mastodon-streaming systemd unit" |
||||||
WorkingDirectory=/home/mastodon/live |
RemainAfterExit=yes |
||||||
Environment="NODE_ENV=production" |
|
||||||
Environment="PORT=4000" |
|
||||||
ExecStart=/usr/bin/node ./streaming |
|
||||||
TimeoutSec=15 |
|
||||||
Restart=always |
|
||||||
LimitNOFILE=65536 |
|
||||||
# Proc filesystem |
|
||||||
ProcSubset=pid |
|
||||||
ProtectProc=invisible |
|
||||||
# Capabilities |
|
||||||
CapabilityBoundingSet= |
|
||||||
# Security |
|
||||||
NoNewPrivileges=true |
|
||||||
# Sandboxing |
|
||||||
ProtectSystem=strict |
|
||||||
PrivateTmp=true |
|
||||||
PrivateDevices=true |
|
||||||
PrivateUsers=true |
|
||||||
ProtectHostname=true |
|
||||||
ProtectKernelLogs=true |
|
||||||
ProtectKernelModules=true |
|
||||||
ProtectKernelTunables=true |
|
||||||
ProtectControlGroups=true |
|
||||||
RestrictAddressFamilies=AF_INET |
|
||||||
RestrictAddressFamilies=AF_INET6 |
|
||||||
RestrictAddressFamilies=AF_NETLINK |
|
||||||
RestrictAddressFamilies=AF_UNIX |
|
||||||
RestrictNamespaces=true |
|
||||||
LockPersonality=true |
|
||||||
RestrictRealtime=true |
|
||||||
RestrictSUIDSGID=true |
|
||||||
RemoveIPC=true |
|
||||||
PrivateMounts=true |
|
||||||
ProtectClock=true |
|
||||||
# System Call Filtering |
|
||||||
SystemCallArchitectures=native |
|
||||||
SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @memlock @mount @obsolete @privileged @resources @setuid |
|
||||||
SystemCallFilter=pipe |
|
||||||
SystemCallFilter=pipe2 |
|
||||||
ReadWritePaths=/home/mastodon/live |
|
||||||
|
|
||||||
[Install] |
[Install] |
||||||
WantedBy=multi-user.target |
WantedBy=multi-user.target |
||||||
|
@ -0,0 +1,54 @@ |
|||||||
|
[Unit] |
||||||
|
Description=mastodon-streaming on port %I |
||||||
|
After=network.target |
||||||
|
# handles using `systemctl restart mastodon-streaming` |
||||||
|
PartOf=mastodon-streaming.service |
||||||
|
ReloadPropagatedFrom=mastodon-streaming.service |
||||||
|
|
||||||
|
[Service] |
||||||
|
Type=simple |
||||||
|
User=mastodon |
||||||
|
WorkingDirectory=/home/mastodon/live |
||||||
|
Environment="NODE_ENV=production" |
||||||
|
Environment="PORT=%i" |
||||||
|
ExecStart=/usr/bin/node ./streaming |
||||||
|
TimeoutSec=15 |
||||||
|
Restart=always |
||||||
|
LimitNOFILE=65536 |
||||||
|
# Proc filesystem |
||||||
|
ProcSubset=pid |
||||||
|
ProtectProc=invisible |
||||||
|
# Capabilities |
||||||
|
CapabilityBoundingSet= |
||||||
|
# Security |
||||||
|
NoNewPrivileges=true |
||||||
|
# Sandboxing |
||||||
|
ProtectSystem=strict |
||||||
|
PrivateTmp=true |
||||||
|
PrivateDevices=true |
||||||
|
PrivateUsers=true |
||||||
|
ProtectHostname=true |
||||||
|
ProtectKernelLogs=true |
||||||
|
ProtectKernelModules=true |
||||||
|
ProtectKernelTunables=true |
||||||
|
ProtectControlGroups=true |
||||||
|
RestrictAddressFamilies=AF_INET |
||||||
|
RestrictAddressFamilies=AF_INET6 |
||||||
|
RestrictAddressFamilies=AF_NETLINK |
||||||
|
RestrictAddressFamilies=AF_UNIX |
||||||
|
RestrictNamespaces=true |
||||||
|
LockPersonality=true |
||||||
|
RestrictRealtime=true |
||||||
|
RestrictSUIDSGID=true |
||||||
|
RemoveIPC=true |
||||||
|
PrivateMounts=true |
||||||
|
ProtectClock=true |
||||||
|
# System Call Filtering |
||||||
|
SystemCallArchitectures=native |
||||||
|
SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @memlock @mount @obsolete @privileged @resources @setuid |
||||||
|
SystemCallFilter=pipe |
||||||
|
SystemCallFilter=pipe2 |
||||||
|
ReadWritePaths=/home/mastodon/live |
||||||
|
|
||||||
|
[Install] |
||||||
|
WantedBy=multi-user.target mastodon-streaming.service |
Loading…
Reference in new issue