blob: dd533457325c72895887fda4cc51114900822075 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
# Example systemd configuration file for duckcloud. Copy into
# /usr/lib/systemd/system/duckcloud.service, then:
#
# systemctl enable duckcloud
# systemctl start duckcloud
#
# This unit file assumes that:
# - A user name `duckcloud` have been created.
# - A file `/etc/duckcloud/var_file` exists with the `DATADIR` env variable setup.
# - The `DATADIR` env variable content is a path pointing to a folder owned by the `duckcloud` user.
#
# **NOTE:** This is an example service file that may change in the future. If you
# wish to use this please copy rather than symlink it.
#
[Unit]
Description=The Duckcloud backup server
After=network.target
[Service]
Type=notify
TimeoutSec=120
NotifyAccess=main
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
User=duckcloud
Group=duckcloud
SyslogIdentifier=duckcloud
EnvironmentFile=/etc/duckcloud/var_file
ExecStart=/usr/bin/duckcloud run
# ######################
# ## Security Sandbox ##
# ######################
# Make sure that the service has its own unshared tmpfs at /tmp and that it
# cannot see or change any real devices
PrivateTmp=true
PrivateDevices=true
# We give no capabilities to a service by default
# CapabilityBoundingSet=
# AmbientCapabilities=
# # Protect the following from modification:
# # - The entire filesystem
# # - sysctl settings and loaded kernel modules
# # - No modifications allowed to Control Groups
# # - Hostname
# # - System Clock
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectHostname=true
ProtectClock=true
# Prevent access to the following:
# - /home directory
# - Kernel logs
ProtectHome=true
ProtectKernelLogs=true
# Make sure that the process can only see PIDs and process details of itself,
# and the second option disables seeing details of things like system load and
# I/O etc
ProtectProc=invisible
ProcSubset=pid
# While not needed, we set these options explicitly
# - This process has been given access to the host network
# - It can also communicate with any IP Address
PrivateNetwork=false
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
IPAddressAllow=any
# Restrict system calls to a sane bunch
SystemCallArchitectures=native
# Misc restrictions
RestrictSUIDSGID=true
RemoveIPC=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
PrivateUsers=true
[Install]
WantedBy=multi-user.target
|