ren/Novoa
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
Novoa/content/docs/misskey/misskey.service
ren e7a4df538a Misskey Docs
2024-01-13 22:32:44 -06:00

72 lines
2.1 KiB
Desktop File
Raw Permalink Blame History

[Unit]
Description=Misskey daemon
[Service]
Type=simple
User=misskey
ExecStart=/usr/bin/pnpm start
WorkingDirectory=/other-dir/misskey
Environment="NODE_ENV=production"
TimeoutSec=60
SyslogIdentifier=misskey
Restart=always
; Some security directives.
; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
PrivateTmp=true
; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your misskey user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false.
ProtectHome=true
; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
PrivateDevices=true
; Drops the sysadmin capability from the daemon.
CapabilityBoundingSet=~CAP_SYS_ADMIN
# Make the system tree read-only.
ProtectSystem=strict
# Make some paths aviable and readable by the process
ReadWritePaths=/other-dir/misskey
# Allocate a separate /tmp.
PrivateTmp=yes
# Ensure the service can never gain new privileges.
NoNewPrivileges=yes
# Prohibit access to any kind of namespacing.
RestrictNamespaces=yes
# Make cgroup file system hierarchy inaccessible.
ProtectControlGroups=yes
# Deny kernel module loading.
ProtectKernelModules=yes
# Make kernel variables (e.g. /proc/sys) read-only.
ProtectKernelTunables=yes
# Deny hostname changing.
ProtectHostname=yes
# Deny realtime scheduling.
RestrictRealtime=yes
# Deny access to the kernel log ring buffer.
ProtectKernelLogs=yes
# Deny setting the hardware or system clock.
ProtectClock=yes
# Filter dangerous system calls. The following is listed as safe basic
# choice in systemd.exec(5).
SystemCallArchitectures=native
# Deny kernel execution domain changing.
LockPersonality=yes
# Deny memory mappings that are writable and executable.
# Node fucking dies if this is enabled.
#MemoryDenyWriteExecute=yes
[Install]
WantedBy=multi-user.target
Reference in a new issue View git blame Copy permalink