2017-12-08 00:35:52 +01:00
|
|
|
[Unit]
|
2018-07-29 17:18:55 +02:00
|
|
|
Description=__APP__ daemon
|
|
|
|
After=network.target postgresql.service redis-server.service
|
2017-12-08 00:35:52 +01:00
|
|
|
|
|
|
|
[Service]
|
|
|
|
Type=simple
|
|
|
|
Environment=NODE_ENV=production
|
2018-03-26 05:50:46 +02:00
|
|
|
Environment=NODE_CONFIG_DIR=__FINALPATH__/config
|
2017-12-08 00:35:52 +01:00
|
|
|
User=__APP__
|
|
|
|
Group=__APP__
|
2018-10-01 00:20:48 +02:00
|
|
|
Environment="PATH=__ENV_PATH__"
|
|
|
|
ExecStart=/bin/sh -c ' npm start'
|
2017-12-08 00:35:52 +01:00
|
|
|
WorkingDirectory=__FINALPATH__/
|
2017-12-11 05:28:25 +01:00
|
|
|
StandardOutput=syslog
|
|
|
|
StandardError=syslog
|
2018-03-26 05:50:46 +02:00
|
|
|
SyslogIdentifier=__APP__
|
2017-12-08 00:35:52 +01:00
|
|
|
Restart=always
|
|
|
|
|
2019-02-07 20:18:54 +01:00
|
|
|
; Some security directives.
|
|
|
|
; Use private /tmp and /var/tmp folders inside a new file system namespace,
|
|
|
|
; which are discarded after the process stops.
|
|
|
|
PrivateTmp=true
|
|
|
|
; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
|
|
|
|
ProtectSystem=full
|
|
|
|
; Sets up a new /dev mount for the process and only adds API pseudo devices
|
|
|
|
; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
|
|
|
|
; by default because it may not work on devices like the Raspberry Pi.
|
|
|
|
PrivateDevices=false
|
|
|
|
; Ensures that the service process and all its children can never gain new
|
|
|
|
; privileges through execve().
|
|
|
|
NoNewPrivileges=true
|
|
|
|
; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
|
|
|
|
; by this unit. Make sure that you do not depend on data inside these folders.
|
|
|
|
ProtectHome=false
|
|
|
|
; Drops the sys admin capability from the daemon.
|
|
|
|
CapabilityBoundingSet=~CAP_SYS_ADMIN
|
|
|
|
|
2017-12-08 00:35:52 +01:00
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|