diff options
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | scrapbook.service | 35 |
2 files changed, 36 insertions, 1 deletions
@@ -2,5 +2,5 @@ !.gitignore !PKGBUILD !scrapbook-sysusers.conf -!scrapbook.conf +!scrapbook.service !config.toml
\ No newline at end of file diff --git a/scrapbook.service b/scrapbook.service new file mode 100644 index 0000000..af6379d --- /dev/null +++ b/scrapbook.service @@ -0,0 +1,35 @@ +[Unit] +Description=scrapbook server + +[Service] +User=scrapbook +Group=scrapbook +Restart=always +ExecStart=/usr/bin/scrapbook + +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +NoNewPrivileges=true +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM + +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +TemporaryFileSystem=/var:ro /etc:ro +BindReadOnlyPaths=/etc/scrapbook +BindPaths=/var/lib/scrapbook +NoExecPaths=/ +ExecPaths=/usr/bin/scrapbook + +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +ProtectClock=true +RestrictRealtime=true +RestrictSUIDSGID=true + +[Install] +WantedBy=multi-user.target |