diff options
author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-06-12 21:02:22 -0400 |
---|---|---|
committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-06-12 21:02:22 -0400 |
commit | 865e2f05621fc10f3d332d3840707997c0b94abf (patch) | |
tree | b5f0c85951175b813996991298501c6afb012824 /roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2 | |
parent | 78fd379d33bd6853123c02a76c97ca382aa24be9 (diff) | |
download | selfhosted-865e2f05621fc10f3d332d3840707997c0b94abf.tar.gz selfhosted-865e2f05621fc10f3d332d3840707997c0b94abf.zip |
add mastodon role
Diffstat (limited to 'roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2')
-rw-r--r-- | roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2 | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2 b/roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2 new file mode 100644 index 0000000..6a3fd03 --- /dev/null +++ b/roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2 @@ -0,0 +1,52 @@ +[Unit] +Description=mastodon-web +After=network.target + +[Service] +Type=simple +User={{ mastodon_user }} +WorkingDirectory={{ mastodon_install_dir }} +Environment="RAILS_ENV=production" +Environment="PORT={{ mastodon_web_port }}" +ExecStart=/usr/bin/bundle exec puma -C config/puma.rb +ExecReload=/bin/kill -SIGUSR1 $MAINPID +TimeoutSec=15 +Restart=always +# Proc filesystem +ProcSubset=pid +ProtectProc=invisible +# Capabilities +CapabilityBoundingSet= +# Security +NoNewPrivileges=true +# Sandboxing +ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true +ProtectClock=true +# System Call Filtering +SystemCallArchitectures=native +SystemCallFilter=~@cpu-emulation @debug @ipc @mount @obsolete @privileged @setuid +SystemCallFilter=@chown +SystemCallFilter=pipe +SystemCallFilter=pipe2 +ReadWritePaths={{ mastodon_install_dir }} + +[Install] +WantedBy=multi-user.target |