[Unit] Description=__APP__: Media Server After=remote-fs.target network.target AssertPathExists=__INSTALL_DIR__ [Service] Type=simple User=__APP__ Group=__APP__ Environment="JAVA_OPTS=-Xmx256m" Environment="JAVA_ARGS=" EnvironmentFile=-/etc/default/__APP__ ExecStart=/usr/bin/java \ $JAVA_OPTS \ -Dairsonic.home=${AIRSONIC_HOME} \ -Dserver.servlet.context-path=${CONTEXT_PATH} \ -Dserver.port=${PORT} \ -jar ${JAVA_JAR} $JAVA_ARGS # See https://www.freedesktop.org/software/systemd/man/systemd.exec.html # for details #DeviceAllow=char-alsa rw #NoNewPrivileges=yes #PrivateTmp=yes #PrivateUsers=yes #RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 #RestrictNamespaces=yes #RestrictRealtime=yes #DevicePolicy=closed #SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap #ReadWritePaths=__INSTALL_DIR__ # You can uncomment the following line if you're not using the jukebox # This will prevent airsonic from accessing any real (physical) devices #PrivateDevices=yes # You can change the following line to `strict` instead of `full` # if you don't want airsonic to be able to # write anything on your filesystem outside of AIRSONIC_HOME. #ProtectSystem=full #ProtectControlGroups=yes #ProtectKernelModules=yes #ProtectKernelTunables=yes # You can uncomment the following line if you don't have any media # in /home/…. This will prevent airsonic from ever reading/writing anything there. #ProtectHome=true # You can uncomment the following line if you're not using the OpenJDK. # This will prevent processes from having a memory zone that is both writeable # and executeable, making hacker's lifes a bit harder. #MemoryDenyWriteExecute=yes [Install] WantedBy=multi-user.target