1 files changed, 52 insertions, 0 deletions

diff --git a/roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2 b/roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2
new file mode 100644
index 0000000..6a3fd03
--- /dev/null
+++ b/roles/mastodon/templates/etc/systemd/system/mastodon-web.service.j2
@@ -0,0 +1,52 @@
+[Unit]
+Description=mastodon-web
+After=network.target
+
+[Service]
+Type=simple
+User={{ mastodon_user }}
+WorkingDirectory={{ mastodon_install_dir }}
+Environment="RAILS_ENV=production"
+Environment="PORT={{ mastodon_web_port }}"
+ExecStart=/usr/bin/bundle exec puma -C config/puma.rb
+ExecReload=/bin/kill -SIGUSR1 $MAINPID
+TimeoutSec=15
+Restart=always
+# Proc filesystem
+ProcSubset=pid
+ProtectProc=invisible
+# Capabilities
+CapabilityBoundingSet=
+# Security
+NoNewPrivileges=true
+# Sandboxing
+ProtectSystem=strict
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+RestrictAddressFamilies=AF_NETLINK
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+PrivateMounts=true
+ProtectClock=true
+# System Call Filtering
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @ipc @mount @obsolete @privileged @setuid
+SystemCallFilter=@chown
+SystemCallFilter=pipe
+SystemCallFilter=pipe2
+ReadWritePaths={{ mastodon_install_dir }}
+
+[Install]
+WantedBy=multi-user.target