闭社主体 forked from https://github.com/tootsuite/mastodon
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

44 lines
1.1 KiB

  1. [Unit]
  2. Description=mastodon-web
  3. After=network.target
  4. [Service]
  5. Type=simple
  6. User=mastodon
  7. WorkingDirectory=/home/mastodon/live
  8. Environment="RAILS_ENV=production"
  9. Environment="PORT=3000"
  10. ExecStart=/home/mastodon/.rbenv/shims/bundle exec puma -C config/puma.rb
  11. ExecReload=/bin/kill -SIGUSR1 $MAINPID
  12. TimeoutSec=15
  13. Restart=always
  14. # Capabilities
  15. CapabilityBoundingSet=
  16. # Security
  17. NoNewPrivileges=true
  18. # Sandboxing
  19. ProtectSystem=strict
  20. PrivateTmp=true
  21. PrivateDevices=true
  22. PrivateUsers=true
  23. ProtectHostname=true
  24. ProtectKernelLogs=true
  25. ProtectKernelModules=true
  26. ProtectKernelTunables=true
  27. ProtectControlGroups=true
  28. RestrictAddressFamilies=AF_INET
  29. RestrictAddressFamilies=AF_INET6
  30. RestrictAddressFamilies=AF_NETLINK
  31. RestrictAddressFamilies=AF_UNIX
  32. RestrictNamespaces=true
  33. LockPersonality=true
  34. RestrictRealtime=true
  35. RestrictSUIDSGID=true
  36. PrivateMounts=true
  37. ProtectClock=true
  38. # System Call Filtering
  39. SystemCallArchitectures=native
  40. SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @resources @setuid @swap
  41. [Install]
  42. WantedBy=multi-user.target