YunoHost-Apps/scrutiny_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/scrutiny_ynh.git synced 2024-09-03 20:16:24 +02:00
Code Issues Activity Actions
scrutiny_ynh/conf/systemd-scrutiny-collector.service
Sylvain 399fe073ae Fix
2024-02-25 17:47:04 +01:00

53 lines
2 KiB
Desktop File
Raw Permalink Blame History

[Unit]
Description=Scrutiny Collector
After=network-online.target scrutiny-web-server.service
[Service]
Type=oneshot
# Only root can fully execute smartcl features
User=root
Group=root
WorkingDirectory=__INSTALL_DIR__
LogsDirectory=__APP__
StateDirectory=__APP__
ExecStart=__INSTALL_DIR__/bin/scrutiny-collector-metrics-linux run --config __INSTALL_DIR__/config/collector.yaml
Restart=no
StandardOutput=append:/var/log/__APP__/collector.log
StandardError=inherit
# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
#PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
#DevicePolicy=closed
#ProtectClock=yes # smartctl apparently doesn't function properly with this protection in place
ProtectHostname=yes
ProtectProc=invisible
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
#CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
[Install]
WantedBy=multi-user.target
Reference in a new issue View git blame Copy permalink