[Unit] Description=__APP__ After=syslog.target network.target [Service] Type=simple User=__APP__ Group=__APP__ WorkingDirectory=__FINALPATH__/ Environment="__YNH_NODE_LOAD_PATH__" Environment=NODE_ENV=production ExecStart=__FINALPATH__/bin/kresus.js --config __FINALPATH__/config.ini Restart=always StandardOutput=syslog StandardError=syslog SyslogIdentifier=__APP__ # /var/log is implied LogsDirectory=__APP__ AmbientCapabilities= CapabilityBoundingSet= LockPersonality=true #Not compatible with NodeJS #MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true PrivateTmp=true # PrivateUsers=true does not work on Debian 11 PrivateUsers=false ProtectClock=true ProtectControlGroups=true ProtectHome=true ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true ProtectProc=invisible ProtectSystem=strict RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true #SecureBits=noroot-locked SystemCallArchitectures=native SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap SystemCallErrorNumber=EPERM # to allow this systemd service to use sendmail. # references: # https://bugs.archlinux.org/task/57721 # https://linux.m2osw.com/snapwebsites-postfixpostdrop18189-warning-mailqueueenter-create-file-maildrop25937318189-permission # Future wait for this ticket to be resolved: https://github.com/YunoHost/issues/issues/947 SupplementaryGroups=postdrop ReadWritePaths=__FINALPATH__/config.ini __FINALPATH__/data/ /var/spool/postfix/maildrop/ [Install] WantedBy=multi-user.target