pleroma/otp/files/[email protected]
author Luke Hoersten <luke@hoersten.org>
Fri, 11 Dec 2020 07:08:41 -0600
changeset 147 83e9097520a0
parent 103 78a072bbf3c1
child 182 b4ce6f1f15b7
permissions -rw-r--r--
Add iperf3 server service.

[Unit]
Description=Pleroma social network instance "%I"
After=network.target postgresql.service nginx.service

[Service]
User=pleroma
WorkingDirectory=/opt/pleroma

Environment="HOME=/opt/pleroma"
Environment="PLEROMA_CONFIG_PATH=/etc/pleroma/%i.config.exs"
Environment="PLUG_TMPDIR=/tmp/%i"
Environment="RELEASE_NODE=%[email protected]"

ExecStart=/opt/pleroma/bin/pleroma start
ExecReload=/opt/pleroma/bin/pleroma stop

KillMode=process
Restart=on-failure

; Some security directives.
; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops.
PrivateTmp=true
; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false.
ProtectHome=true
; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
ProtectSystem=full
; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled by default because it may not work on devices like the Raspberry Pi.
PrivateDevices=false
; Ensures that the service process and all its children can never gain new privileges through execve().
NoNewPrivileges=true
; Drops the sysadmin capability from the daemon.
CapabilityBoundingSet=~CAP_SYS_ADMIN

[Install]
WantedBy=multi-user.target