Initial commitHEADmaster

1 files changed, 32 insertions, 0 deletions

diff --git a/walrss.service b/walrss.service
new file mode 100644
index 0000000..ae8f2d9
--- /dev/null
+++ b/walrss.service
@@ -0,0 +1,32 @@
+[Unit]
+Description=Email-based RSS digest generator
+
+[Service]
+User=walrss
+Restart=always
+ExecStart=/usr/bin/walrss
+StateDirectory=walrss
+EnvironmentFile=/etc/conf.d/walrss
+
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ExecPaths=/usr/bin/walrss
+
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectClock=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+
+[Install]
+WantedBy=multi-user.target