blob: 5f55818dc07b812554774a6cffe0465320848c3c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
# This variant of the unit file is for package installations.
#
# The relevant paths are:
#
#/usr/bin/pepecoind
#/etc/pepecoin/
#/var/lib/pepecoin/
[Unit]
Description=Pepecoin's distributed currency daemon
After=network.target
StartLimitIntervalSec=120
StartLimitBurst=5
[Service]
Type=simple
ExecStart=/usr/bin/pepecoind -conf=/etc/pepecoin/pepecoin.conf -datadir=/var/lib/pepecoin
KillSignal=SIGINT
Restart=always
RestartSec=5
TimeoutStopSec=60
TimeoutStartSec=5
User=pepecoin
Group=pepecoin
### Restrict resource consumption
MemoryAccounting=yes
MemoryMax=3G
### Restrict access to host file system.
#
# Hide the entire root file system by default, and *only* mount in exactly what is needed.
#
TemporaryFileSystem=/:ro
# Add core dependencies
BindReadOnlyPaths=/etc/ /lib/ /lib64/ /usr/lib/ /usr/lib64/
# Add daemon paths
BindReadOnlyPaths=/usr/bin/pepecoind /etc/pepecoin/
BindPaths=/var/lib/pepecoin
### Restrict access to system.
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
PrivateUsers=true
DevicePolicy=closed
ProtectHome=true
ProtectHostname=true
ProtectControlGroups=true
ProtectClock=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectKernelLogs=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
MemoryDenyWriteExecute=true
LockPersonality=true
# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
# since it remounts root as read only over the top.
# In this case, do not enable ProtectSystem.
#ProtectSystem=strict
[Install]
WantedBy=multi-user.target
|