Add service fileHEAD master

author: Leonardo Bishop <me@leonardobishop.net> 2025-08-06 22:46:48 +0100
committer: Leonardo Bishop <me@leonardobishop.net> 2025-08-06 22:46:48 +0100
commit: 1d5d47c2f799717d5786d66a491bf7f4bfe38977 (patch)
tree: 46aeb9ceb7ff36f26f3cc1ee108e0c57b972649d /scrapbook.service
parent: 08cbadf5c42c112c7fd7a1b961fb668f19a18973 (diff)
1 files changed, 35 insertions, 0 deletions
diff --git a/scrapbook.service b/scrapbook.service
new file mode 100644
index 0000000..af6379d
--- /dev/null
+++ b/scrapbook.service
@@ -0,0 +1,35 @@
+[Unit]
+Description=scrapbook server
+
+[Service]
+User=scrapbook
+Group=scrapbook
+Restart=always
+ExecStart=/usr/bin/scrapbook
+
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+TemporaryFileSystem=/var:ro /etc:ro
+BindReadOnlyPaths=/etc/scrapbook
+BindPaths=/var/lib/scrapbook
+NoExecPaths=/
+ExecPaths=/usr/bin/scrapbook
+
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectClock=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+
+[Install]
+WantedBy=multi-user.target
author	Leonardo Bishop <me@leonardobishop.net>	2025-08-06 22:46:48 +0100
committer	Leonardo Bishop <me@leonardobishop.net>	2025-08-06 22:46:48 +0100
commit	1d5d47c2f799717d5786d66a491bf7f4bfe38977 (patch)
tree	46aeb9ceb7ff36f26f3cc1ee108e0c57b972649d /scrapbook.service
parent	08cbadf5c42c112c7fd7a1b961fb668f19a18973 (diff)