This repository was archived by the owner on Jun 18, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
Example systemd unit file
ㅤ edited this page Jul 23, 2019
·
3 revisions
[Unit]
Description=PermanentDetour Redirect Server
Requires=network-online.target
After=network-online.target
[Service]
Environment=PERMANENTDETOUR_PRIMO=ocul-crl
Environment=PERMANENTDETOUR_VID=01OCUL_CRL:CRL_DEFAULT
Environment="FILES=/opt/permanentdetour/bibids1.csv /opt/permanentdetour/bibids2.csv /opt/permanentdetour/bibids3.csv"
Type=simple
ExecStart=/opt/permanentdetour/permanentdetour $FILES
User=permanentdetour
Group=permanentdetour
Restart=on-failure
# Security hardening.
# Some options are not yet available in our systemd.
# Chroot jail.
RootDirectory=/opt/permanentdetour
# Protect the filesystem.
# ProtectSystem=strict
ProtectHome=read-only
# Protect Kernel subsystems.
# ProtectControlGroups=yes
# ProtectKernelModules=yes
# ProtectKernelTunables=yes
# RestrictRealtime=yes
# RestrictNamespaces=yes
# MemoryDenyWriteExecute=yes
# Service process can never gain new privileges through execve().
NoNewPrivileges=true
# Create private /tmp and /var/tmp that are not shared.
PrivateTmp=yes
# Control access to devices.
PrivateDevices=yes
DevicePolicy=closed
# Control network access.
RestrictAddressFamilies=AF_INET
# IPAddressAllow=localhost
# Restrict capability set.
CapabilityBoundingSet=
[Install]
WantedBy=multi-user.target