-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #417 from kmohrf/master
add systemd service unit
- Loading branch information
Showing
1 changed file
with
69 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| [Unit] | ||
| Description=listmonk mailing list and newsletter manager (%I) | ||
| ConditionPathExists=/etc/listmonk/%i.toml | ||
| Wants=network.target | ||
| # The PostgreSQL database may not be on the same host but if it | ||
| # is listmonk should wait for it to start up. | ||
| After=postgresql.service | ||
|
|
||
| [Service] | ||
| Type=simple | ||
| EnvironmentFile=-/etc/default/listmonk | ||
| EnvironmentFile=-/etc/default/listmonk-%i | ||
| ExecStartPre=/usr/bin/mkdir -p "${HOME}/uploads" | ||
| ExecStartPre=/usr/bin/listmonk --config /etc/listmonk/%i.toml --upgrade --yes | ||
| ExecStart=/usr/bin/listmonk --config /etc/listmonk/%i.toml $SYSTEMD_LISTMONK_ARGS | ||
| Restart=on-failure | ||
|
|
||
| # Create dynamic users for listmonk service instances | ||
| # but create a state directory for uploads in /var/lib/private/%i. | ||
| DynamicUser=True | ||
| StateDirectory=listmonk-%i | ||
| Environment=HOME=%S/listmonk-%i | ||
| WorkingDirectory=%S/listmonk-%i | ||
|
|
||
| # Use systemd’s ability to disable security-sensitive features | ||
| # that listmonk does not explicitly need. | ||
| # NoNewPrivileges should be enabled by DynamicUser=yes but systemd-analyze | ||
| # still recommended to explicitly enable it. | ||
| NoNewPrivileges=True | ||
| # listmonk doesn’t need any capabilities as defined by the linux kernel | ||
| # see: https://man7.org/linux/man-pages/man7/capabilities.7.html | ||
| CapabilityBoundingSet= | ||
| # listmonk only executes native code with no need for any other ABIs. | ||
| SystemCallArchitectures=native | ||
| # Only enable a reasonable set of system calls. | ||
| # see: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter= | ||
| SystemCallFilter=@system-service | ||
| SystemCallFilter=~@privileged @resources | ||
| # ProtectSystem=strict, which is implied by DynamicUser=True, already disabled write calls | ||
| # to the entire filesystem hierarchy, leaving only /dev/, /proc/, and /sys/ writable. | ||
| # listmonk doesn’t need access to those so might as well disable them. | ||
| PrivateDevices=True | ||
| ProtectControlGroups=True | ||
| ProtectKernelTunables=True | ||
| # Make /home/, /root/, and /run/user/ inaccessible. | ||
| ProtectHome=True | ||
| # listmonk doesn’t handle any specific device nodes. | ||
| DeviceAllow=False | ||
| # listmonk doesn’t make use of linux namespaces. | ||
| RestrictNamespaces=True | ||
| # listmonk doesn’t need realtime scheduling. | ||
| RestrictRealtime=True | ||
| # Make sure files created by listmonk are only readable by itself and | ||
| # others in the listmonk system group. | ||
| UMask=0027 | ||
| # Disable memory mappings that are both writable and executable. | ||
| MemoryDenyWriteExecute=True | ||
| # listmonk doesn’t make use of linux personality switching. | ||
| LockPersonality=True | ||
| # listmonk only needs to support the IPv4 and IPv6 address families. | ||
| RestrictAddressFamilies=AF_INET AF_INET6 | ||
| # listmonk doesn’t need to load any linux kernel modules. | ||
| ProtectKernelModules=True | ||
| # Create a sandboxed environment where the system users are mapped to a | ||
| # service-specific linux kernel namespace. | ||
| PrivateUsers=True | ||
|
|
||
| [Install] | ||
| WantedBy=multi-user.target |