2
1

peertube.service 1.3 KB

1234567891011121314151617181920212223242526272829303132333435363738
  1. [Unit]
  2. Description=PeerTube daemon
  3. After=network.target postgresql.service redis-server.service
  4. [Service]
  5. Type=simple
  6. Environment=NODE_ENV=production
  7. Environment=NODE_CONFIG_DIR=/var/www/peertube/config
  8. User=peertube
  9. Group=peertube
  10. ExecStart=/usr/bin/npm start
  11. WorkingDirectory=/var/www/peertube/peertube-latest
  12. StandardOutput=syslog
  13. StandardError=syslog
  14. SyslogIdentifier=peertube
  15. Restart=always
  16. ; Some security directives.
  17. ; Use private /tmp and /var/tmp folders inside a new file system namespace,
  18. ; which are discarded after the process stops.
  19. PrivateTmp=true
  20. ; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
  21. ProtectSystem=full
  22. ; Sets up a new /dev mount for the process and only adds API pseudo devices
  23. ; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
  24. ; by default because it may not work on devices like the Raspberry Pi.
  25. PrivateDevices=false
  26. ; Ensures that the service process and all its children can never gain new
  27. ; privileges through execve().
  28. NoNewPrivileges=true
  29. ; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
  30. ; by this unit. Make sure that you do not depend on data inside these folders.
  31. ProtectHome=true
  32. ; Drops the sys admin capability from the daemon.
  33. CapabilityBoundingSet=~CAP_SYS_ADMIN
  34. [Install]
  35. WantedBy=multi-user.target