%5BUnit%5D%0D%0ADescription%3DGancio%20%3A%20federated%20agenda%0D%0AAfter%3Dnetwork.target%0D%0A%0D%0A%5BService%5D%0D%0AType%3Dsimple%0D%0AUser%3D__APP__%0D%0AGroup%3D__APP__%0D%0AWorkingDirectory%3D__INSTALL_DIR__%2F%0D%0AEnvironment%3D%22__YNH_NODE_LOAD_PATH__%22%0D%0AExecStart%3D__YNH_NPM__%20gancio%20start%20--config%20.%2Fconfig.json%0D%0A%0D%0A%23%20Sandboxing%20options%20to%20harden%20security%0D%0A%23%20Depending%20on%20specificities%20of%20your%20service%2Fapp%2C%20you%20may%20need%20to%20tweak%20these%0D%0A%23%20..%20but%20this%20should%20be%20a%20good%20baseline%0D%0A%23%20Details%20for%20these%20options%3A%20https%3A%2F%2Fwww.freedesktop.org%2Fsoftware%2Fsystemd%2Fman%2Fsystemd.exec.html%0D%0ANoNewPrivileges%3Dyes%0D%0APrivateTmp%3Dyes%0D%0APrivateDevices%3Dyes%0D%0ARestrictAddressFamilies%3DAF_UNIX%20AF_INET%20AF_INET6%20AF_NETLINK%0D%0ARestrictNamespaces%3Dyes%0D%0ARestrictRealtime%3Dyes%0D%0ADevicePolicy%3Dclosed%0D%0AProtectClock%3Dyes%0D%0AProtectHostname%3Dyes%0D%0AProtectProc%3Dinvisible%0D%0AProtectSystem%3Dfull%0D%0AProtectControlGroups%3Dyes%0D%0AProtectKernelModules%3Dyes%0D%0AProtectKernelTunables%3Dyes%0D%0ALockPersonality%3Dyes%0D%0ASystemCallArchitectures%3Dnative%0D%0ASystemCallFilter%3D~%40clock%20%40debug%20%40module%20%40mount%20%40obsolete%20%40reboot%20%40setuid%20%40swap%20%40cpu-emulation%20%40privileged%0D%0A%0D%0A%23%20Denying%20access%20to%20capabilities%20that%20should%20not%20be%20relevant%20for%20webapps%0D%0A%23%20Doc%3A%20https%3A%2F%2Fman7.org%2Flinux%2Fman-pages%2Fman7%2Fcapabilities.7.html%0D%0ACapabilityBoundingSet%3D~CAP_RAWIO%20CAP_MKNOD%0D%0ACapabilityBoundingSet%3D~CAP_AUDIT_CONTROL%20CAP_AUDIT_READ%20CAP_AUDIT_WRITE%0D%0ACapabilityBoundingSet%3D~CAP_SYS_BOOT%20CAP_SYS_TIME%20CAP_SYS_MODULE%20CAP_SYS_PACCT%0D%0ACapabilityBoundingSet%3D~CAP_LEASE%20CAP_LINUX_IMMUTABLE%20CAP_IPC_LOCK%0D%0ACapabilityBoundingSet%3D~CAP_BLOCK_SUSPEND%20CAP_WAKE_ALARM%0D%0ACapabilityBoundingSet%3D~CAP_SYS_TTY_CONFIG%0D%0ACapabilityBoundingSet%3D~CAP_MAC_ADMIN%20CAP_MAC_OVERRIDE%0D%0ACapabilityBoundingSet%3D~CAP_NET_ADMIN%20CAP_NET_BROADCAST%20CAP_NET_RAW%0D%0ACapabilityBoundingSet%3D~CAP_SYS_ADMIN%20CAP_SYS_PTRACE%20CAP_SYSLOG%0D%0A%0D%0A%5BInstall%5D%0D%0AWantedBy%3Dmulti-user.target