scrutiny_ynh/conf/systemd-scrutiny-web-server.service

[Unit]
Description=Scrutiny web server
After=network-online.target

[Service]
Type=simple
User=__APP__
Group=__APP__
WorkingDirectory=__INSTALL_DIR__
LogsDirectory=__APP__
StateDirectory=__APP__
ExecStart=__INSTALL_DIR__/bin/scrutiny-web-linux-amd64 start --config __INSTALL_DIR__/config/scrutiny.yaml
Restart=always
RestartSec=10s
StandardOutput=append:/var/log/__APP__/__APP__-web-server.log
StandardError=inherit

NoNewPrivileges=yes
ProtectHome=yes
#ProtectSystem=strict
PrivateTmp=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectClock=yes
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
CapabilityBoundingSet=

[Install]
WantedBy=multi-user.target
Version v0.6.0 2023-03-06 21:25:34 +01:00			`[Unit]`
			`Description=Scrutiny web server`
			`After=network-online.target`

			`[Service]`
			`Type=simple`
			`User=__APP__`
			`Group=__APP__`
			`WorkingDirectory=__INSTALL_DIR__`
			`LogsDirectory=__APP__`
			`StateDirectory=__APP__`
			`ExecStart=__INSTALL_DIR__/bin/scrutiny-web-linux-amd64 start --config __INSTALL_DIR__/config/scrutiny.yaml`
			`Restart=always`
			`RestartSec=10s`
			`StandardOutput=append:/var/log/__APP__/__APP__-web-server.log`
			`StandardError=inherit`

			`NoNewPrivileges=yes`
			`ProtectHome=yes`
			`#ProtectSystem=strict`
			`PrivateTmp=yes`
			`PrivateDevices=yes`
			`ProtectKernelTunables=yes`
			`ProtectKernelModules=yes`
			`ProtectKernelLogs=yes`
			`ProtectControlGroups=yes`
			`ProtectHostname=yes`
			`ProtectClock=yes`
			`RestrictAddressFamilies=AF_INET AF_INET6`
			`RestrictNamespaces=true`
			`LockPersonality=true`
			`MemoryDenyWriteExecute=true`
			`RestrictRealtime=true`
			`RestrictSUIDSGID=true`
			`RemoveIPC=true`
			`CapabilityBoundingSet=`

			`[Install]`
			`WantedBy=multi-user.target`