Federated social network node, running on kosmos.social
https://kosmos.social
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
53 lines
1.2 KiB
53 lines
1.2 KiB
[Unit] |
|
Description=mastodon-web |
|
After=network.target |
|
|
|
[Service] |
|
Type=simple |
|
User=mastodon |
|
WorkingDirectory=/home/mastodon/live |
|
Environment="RAILS_ENV=production" |
|
Environment="PORT=3000" |
|
Environment="LD_PRELOAD=libjemalloc.so" |
|
ExecStart=/home/mastodon/.rbenv/shims/bundle exec puma -C config/puma.rb |
|
ExecReload=/bin/kill -SIGUSR1 $MAINPID |
|
TimeoutSec=15 |
|
Restart=always |
|
# Proc filesystem |
|
ProcSubset=pid |
|
ProtectProc=invisible |
|
# Capabilities |
|
CapabilityBoundingSet= |
|
# Security |
|
NoNewPrivileges=true |
|
# Sandboxing |
|
ProtectSystem=strict |
|
PrivateTmp=true |
|
PrivateDevices=true |
|
PrivateUsers=true |
|
ProtectHostname=true |
|
ProtectKernelLogs=true |
|
ProtectKernelModules=true |
|
ProtectKernelTunables=true |
|
ProtectControlGroups=true |
|
RestrictAddressFamilies=AF_INET |
|
RestrictAddressFamilies=AF_INET6 |
|
RestrictAddressFamilies=AF_NETLINK |
|
RestrictAddressFamilies=AF_UNIX |
|
RestrictNamespaces=true |
|
LockPersonality=true |
|
RestrictRealtime=true |
|
RestrictSUIDSGID=true |
|
RemoveIPC=true |
|
PrivateMounts=true |
|
ProtectClock=true |
|
# System Call Filtering |
|
SystemCallArchitectures=native |
|
SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid |
|
SystemCallFilter=@chown |
|
SystemCallFilter=pipe |
|
SystemCallFilter=pipe2 |
|
ReadWritePaths=/home/mastodon/live |
|
|
|
[Install] |
|
WantedBy=multi-user.target
|
|
|