1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/galene_ynh.git synced 2024-09-03 18:36:31 +02:00

Update systemd.service

This commit is contained in:
Éric Gaspar 2023-01-31 12:25:06 +01:00
parent c43b64e236
commit a0f20ebc41

View file

@ -11,5 +11,34 @@ WorkingDirectory=__FINALPATH__/live/
ExecStart=__FINALPATH__/live/galene -http "127.0.0.1:__PORT__" -insecure -turn __PUBLIC_IP4__:__TURN_PORT__ -udp-range 49152-65535 -groups __DATADIR__/groups -recordings __DATADIR__/recordings -data __FINALPATH__/live/data/ ExecStart=__FINALPATH__/live/galene -http "127.0.0.1:__PORT__" -insecure -turn __PUBLIC_IP4__:__TURN_PORT__ -udp-range 49152-65535 -groups __DATADIR__/groups -recordings __DATADIR__/recordings -data __FINALPATH__/live/data/
LimitNOFILE=65536 LimitNOFILE=65536
# various hardening options
ReadWritePaths=/var/lib/galene/recordings
CapabilityBoundingSet=
AmbientCapabilities=
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectClock=yes
NoNewPrivileges=yes
MountFlags=private
LockPersonality=yes
RestrictRealtime=yes
RestrictNamespaces=yes
RestrictSUIDSGID=yes
KeyringMode=private
MemoryDenyWriteExecute=yes
RemoveIPC=yes
SystemCallArchitectures=native
SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete @timer @resources @privileged @pkey @obsolete @setuid
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
UMask=0077
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target