| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 |
- [Unit]
- Description=mastodon-web
- After=network.target
- [Service]
- Type=simple
- User=mastodon
- WorkingDirectory=/home/mastodon/live
- Environment="RAILS_ENV=production"
- Environment="PORT=3000"
- Environment="LD_PRELOAD=libjemalloc.so"
- ExecStart=/home/mastodon/.rbenv/shims/bundle exec puma -C config/puma.rb
- ExecReload=/bin/kill -SIGUSR1 $MAINPID
- TimeoutSec=15
- Restart=always
- # Proc filesystem
- ProcSubset=pid
- ProtectProc=invisible
- # Capabilities
- CapabilityBoundingSet=
- # Security
- NoNewPrivileges=true
- # Sandboxing
- ProtectSystem=strict
- PrivateTmp=true
- PrivateDevices=true
- PrivateUsers=true
- ProtectHostname=true
- ProtectKernelLogs=true
- ProtectKernelModules=true
- ProtectKernelTunables=true
- ProtectControlGroups=true
- RestrictAddressFamilies=AF_INET
- RestrictAddressFamilies=AF_INET6
- RestrictAddressFamilies=AF_NETLINK
- RestrictAddressFamilies=AF_UNIX
- RestrictNamespaces=true
- LockPersonality=true
- RestrictRealtime=true
- RestrictSUIDSGID=true
- RemoveIPC=true
- PrivateMounts=true
- ProtectClock=true
- # System Call Filtering
- SystemCallArchitectures=native
- SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
- SystemCallFilter=@chown
- SystemCallFilter=pipe
- SystemCallFilter=pipe2
- ReadWritePaths=/home/mastodon/live
- [Install]
- WantedBy=multi-user.target
|
