2017-12-08 00:35:52 +01:00
[Unit]
2021-03-30 22:58:26 +02:00
Description = PeerTube daemon
2018-07-29 17:18:55 +02:00
After = network.target postgresql.service redis-server.service
2017-12-08 00:35:52 +01:00
[Service]
Type = simple
Environment = NODE_ENV=production
2023-12-29 16:41:43 +01:00
Environment = NODE_CONFIG_DIR=__FINALPATH__/config
2021-08-15 16:44:41 +02:00
Environment = "__YNH_NODE_LOAD_PATH__"
2023-12-29 16:41:43 +01:00
User = __APP__
Group = __APP__
ExecStart = __YNH_NODE__ __FINALPATH__/dist/server
WorkingDirectory = __FINALPATH__/
2017-12-11 05:28:25 +01:00
StandardOutput = syslog
StandardError = syslog
2018-03-26 05:50:46 +02:00
SyslogIdentifier = __APP__
2017-12-08 00:35:52 +01:00
Restart = always
2021-09-12 15:19:51 +02:00
# Sandboxing options to harden security
2021-12-24 13:04:12 +01:00
# Depending on specificities of your service/app, you may need to tweak these
2021-09-12 15:19:51 +02:00
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges = yes
PrivateTmp = yes
2023-12-31 17:51:18 +01:00
#PrivateDevices=yes # Won't work on Raspberry Pi as documented here https://docs.joinpeertube.org/maintain/configuration#systemd-unit-with-reduced-privileges
2021-12-24 13:04:12 +01:00
RestrictAddressFamilies = AF_UNIX AF_INET AF_INET6 AF_NETLINK
2021-09-12 15:19:51 +02:00
RestrictNamespaces = yes
RestrictRealtime = yes
DevicePolicy = closed
2022-01-04 22:56:14 +01:00
DeviceAllow = /dev/dri/renderD128
2019-02-07 20:18:54 +01:00
ProtectSystem = full
2021-09-12 15:19:51 +02:00
ProtectControlGroups = yes
ProtectKernelModules = yes
ProtectKernelTunables = yes
LockPersonality = yes
SystemCallFilter = ~@clock @debug @module @mount @obsolete @reboot @setuid @swap
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet = ~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet = ~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet = ~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet = ~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet = ~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet = ~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet = ~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet = ~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
2021-12-24 13:04:12 +01:00
CapabilityBoundingSet = ~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
2019-02-07 20:18:54 +01:00
2017-12-08 00:35:52 +01:00
[Install]
WantedBy = multi-user.target