Halaman utama Jelajahi Bantuan
Masuk
LBP
/
miniflux_v2
cermin dari https://github.com/miniflux/v2.git
4
0
Fork 0
Berkas Masalah 0 Wiki
Pohon: fd8e95c878
Ranting Tag
miniflux_v2
/
packaging
/
systemd
/
miniflux.service

miniflux.service 2.3 KB
Riwayat Mentahan

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192 
  1. # Changing the systemd config can be done like this:
    2. 

  2. # 1) Edit the config file: systemctl edit --full miniflux
    3. 

  3. # 2) Restart the process: systemctl restart miniflux
    4. 

  4. # All your changes can be reverted with `systemctl revert miniflux.service`.
    5. 

  5. # See https://wiki.archlinux.org/index.php/Systemd#Editing_provided_units.
    6. 

  6. # Also see https://www.freedesktop.org/software/systemd/man/systemd.service.html
    7. 

  7. # for available configuration options in this file.
    8. 

  8. 

  9. [Unit]
    10. 

  10. Description=Miniflux
    11. 

  11. After=network.target postgresql.service
    12. 

  12. 

  13. [Service]
    14. 

  14. ExecStart=/usr/bin/miniflux
    15. 

  15. User=miniflux
    16. 

  16. 

  17. # Load environment variables from /etc/miniflux.conf.
    18. 

  18. EnvironmentFile=/etc/miniflux.conf
    19. 

  19. 

  20. # Miniflux uses sd-notify protocol to notify about it's readiness.
    21. 

  21. Type=notify
    22. 

  22. 

  23. # Enable watchdog.
    24. 

  24. WatchdogSec=60s
    25. 

  25. WatchdogSignal=SIGKILL
    26. 

  26. 

  27. # Automatically restart Miniflux if it crashes.
    28. 

  28. Restart=always
    29. 

  29. RestartSec=5
    30. 

  30. 

  31. # Allocate a directory at /run/miniflux for Unix sockets.
    32. 

  32. RuntimeDirectory=miniflux
    33. 

  33. 

  34. # Allow Miniflux to bind to privileged ports.
    35. 

  35. AmbientCapabilities=CAP_NET_BIND_SERVICE
    36. 

  36. 

  37. # Make the system tree read-only.
    38. 

  38. ProtectSystem=strict
    39. 

  39. 

  40. # Allocate a separate /tmp.
    41. 

  41. PrivateTmp=yes
    42. 

  42. 

  43. # Ensure the service can never gain new privileges.
    44. 

  44. NoNewPrivileges=yes
    45. 

  45. 

  46. # Prohibit access to any kind of namespacing.
    47. 

  47. RestrictNamespaces=yes
    48. 

  48. 

  49. # Make home directories inaccessible.
    50. 

  50. ProtectHome=yes
    51. 

  51. 

  52. # Make device nodes except for /dev/null, /dev/zero, /dev/full,
    53. 

  53. # /dev/random and /dev/urandom inaccessible.
    54. 

  54. PrivateDevices=yes
    55. 

  55. 

  56. # Make cgroup file system hierarchy inaccessible.
    57. 

  57. ProtectControlGroups=yes
    58. 

  58. 

  59. # Deny kernel module loading.
    60. 

  60. ProtectKernelModules=yes
    61. 

  61. 

  62. # Make kernel variables (e.g. /proc/sys) read-only.
    63. 

  63. ProtectKernelTunables=yes
    64. 

  64. 

  65. # Deny hostname changing.
    66. 

  66. ProtectHostname=yes
    67. 

  67. 

  68. # Deny realtime scheduling.
    69. 

  69. RestrictRealtime=yes
    70. 

  70. 

  71. # Deny access to the kernel log ring buffer.
    72. 

  72. ProtectKernelLogs=yes
    73. 

  73. 

  74. # Deny setting the hardware or system clock.
    75. 

  75. ProtectClock=yes
    76. 

  76. 

  77. # Filter dangerous system calls. The following is listed as safe basic
    78. 

  78. # choice in systemd.exec(5).
    79. 

  79. SystemCallArchitectures=native
    80. 

  80. SystemCallFilter=@system-service
    81. 

  81. SystemCallFilter=~@privileged
    82. 

  82. SystemCallFilter=~@resources
    83. 

  83. SystemCallErrorNumber=EPERM
    84. 

  84. 

  85. # Deny kernel execution domain changing.
    86. 

  86. LockPersonality=yes
    87. 

  87. 

  88. # Deny memory mappings that are writable and executable.
    89. 

  89. MemoryDenyWriteExecute=yes
    90. 

  90. 

  91. [Install]
    92. 

  92. WantedBy=multi-user.target
    93.