| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354 |
- [Unit]
- Description=Homarr
- After=network.target
- [Service]
- Type=simple
- User=__APP__
- Group=__APP__
- WorkingDirectory=__FINALPATH__/
- Environment="PATH=__ENV_PATH__"
- Environment="NODE_ENV=production"
- Environment="PORT=__PORT__"
- ExecStart=/usr/bin/yarn start
- Restart=on-failure
- RestartSec=5
- StartLimitInterval=60s
- StartLimitBurst=3
- # Sandboxing options to harden security
- # Depending on specificities of your service/app, you may need to tweak these
- # .. but this should be a good baseline
- # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
- NoNewPrivileges=yes
- PrivateTmp=yes
- PrivateDevices=yes
- RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
- RestrictNamespaces=yes
- RestrictRealtime=yes
- DevicePolicy=closed
- ProtectClock=yes
- ProtectHostname=yes
- ProtectProc=invisible
- ProtectSystem=full
- ProtectControlGroups=yes
- ProtectKernelModules=yes
- ProtectKernelTunables=yes
- LockPersonality=yes
- SystemCallArchitectures=native
- SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
- # Denying access to capabilities that should not be relevant for webapps
- # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
- CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
- CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
- CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
- CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
- CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
- CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
- CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
- CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
- CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
- [Install]
- WantedBy=multi-user.target
|
