Acasă Explorează Ajutor
Autentificare
LBP
/
miniflux_v2
oglindă de https://github.com/miniflux/v2.git
4
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Ramură: web_bot_auth
Ramuri Etichete
miniflux_v2
/
packaging
/
systemd
/
miniflux.service

miniflux.service 2.2 KB
Permalink Istoric Crud

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889 
  1. # Changing the systemd config can be done like this:
    2. 

  2. # 1) Edit the config file: systemctl edit --full miniflux
    3. 

  3. # 2) Restart the process: systemctl restart miniflux
    4. 

  4. # All your changes can be reverted with `systemctl revert miniflux.service`.
    5. 

  5. # See https://wiki.archlinux.org/index.php/Systemd#Editing_provided_units.
    6. 

  6. # Also see https://www.freedesktop.org/software/systemd/man/systemd.service.html
    7. 

  7. # for available configuration options in this file.
    8. 

  8. 

  9. [Unit]
    10. 

  10. Description=Miniflux
    11. 

  11. Documentation=man:miniflux(1) https://miniflux.app/docs/index.html
    12. 

  12. After=network.target postgresql.service
    13. 

  13. 

  14. [Service]
    15. 

  15. ExecStart=/usr/bin/miniflux
    16. 

  16. User=miniflux
    17. 

  17. 

  18. # Load environment variables from /etc/miniflux.conf.
    19. 

  19. EnvironmentFile=/etc/miniflux.conf
    20. 

  20. 

  21. # Miniflux uses sd-notify protocol to notify about it's readiness.
    22. 

  22. Type=notify
    23. 

  23. 

  24. # Enable watchdog.
    25. 

  25. WatchdogSec=60s
    26. 

  26. WatchdogSignal=SIGKILL
    27. 

  27. 

  28. # Automatically restart Miniflux if it crashes.
    29. 

  29. Restart=always
    30. 

  30. RestartSec=5
    31. 

  31. 

  32. # Allocate a directory at /run/miniflux for Unix sockets.
    33. 

  33. RuntimeDirectory=miniflux
    34. 

  34. 

  35. # Allow Miniflux to bind to privileged ports.
    36. 

  36. AmbientCapabilities=CAP_NET_BIND_SERVICE
    37. 

  37. 

  38. # Make the system tree read-only.
    39. 

  39. ProtectSystem=strict
    40. 

  40. 

  41. # Allocate a separate /tmp.
    42. 

  42. PrivateTmp=yes
    43. 

  43. 

  44. # Ensure the service can never gain new privileges.
    45. 

  45. NoNewPrivileges=yes
    46. 

  46. 

  47. # Prohibit access to any kind of namespacing.
    48. 

  48. RestrictNamespaces=yes
    49. 

  49. 

  50. # Make home directories inaccessible.
    51. 

  51. ProtectHome=yes
    52. 

  52. 

  53. # Make device nodes except for /dev/null, /dev/zero, /dev/full,
    54. 

  54. # /dev/random and /dev/urandom inaccessible.
    55. 

  55. PrivateDevices=yes
    56. 

  56. 

  57. # Make cgroup file system hierarchy inaccessible.
    58. 

  58. ProtectControlGroups=yes
    59. 

  59. 

  60. # Deny kernel module loading.
    61. 

  61. ProtectKernelModules=yes
    62. 

  62. 

  63. # Make kernel variables (e.g. /proc/sys) read-only.
    64. 

  64. ProtectKernelTunables=yes
    65. 

  65. 

  66. # Deny hostname changing.
    67. 

  67. ProtectHostname=yes
    68. 

  68. 

  69. # Deny realtime scheduling.
    70. 

  70. RestrictRealtime=yes
    71. 

  71. 

  72. # Deny access to the kernel log ring buffer.
    73. 

  73. ProtectKernelLogs=yes
    74. 

  74. 

  75. # Deny setting the hardware or system clock.
    76. 

  76. ProtectClock=yes
    77. 

  77. 

  78. # Filter dangerous system calls. The following is listed as safe basic
    79. 

  79. # choice in systemd.exec(5).
    80. 

  80. SystemCallArchitectures=native
    81. 

  81. 

  82. # Deny kernel execution domain changing.
    83. 

  83. LockPersonality=yes
    84. 

  84. 

  85. # Deny memory mappings that are writable and executable.
    86. 

  86. MemoryDenyWriteExecute=yes
    87. 

  87. 

  88. [Install]
    89. 

  89. WantedBy=multi-user.target
    90.