Initial commit

author: Leonardo Bishop <me@leonardobishop.net> 2025-08-07 15:14:27 +0100
committer: Leonardo Bishop <me@leonardobishop.net> 2025-08-07 15:18:14 +0100
commit: 658fbb94d5f0e9c10e8753d227bb16c287065ee1 (patch)
tree: add752297cab2203248ef40dfeec39198f989620 /walrss.service
1 files changed, 32 insertions, 0 deletions
diff --git a/walrss.service b/walrss.service
new file mode 100644
index 0000000..ae8f2d9
--- /dev/null
+++ b/walrss.service
@@ -0,0 +1,32 @@
+[Unit]
+Description=Email-based RSS digest generator
+
+[Service]
+User=walrss
+Restart=always
+ExecStart=/usr/bin/walrss
+StateDirectory=walrss
+EnvironmentFile=/etc/conf.d/walrss
+
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ExecPaths=/usr/bin/walrss
+
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectClock=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+
+[Install]
+WantedBy=multi-user.target
author	Leonardo Bishop <me@leonardobishop.net>	2025-08-07 15:14:27 +0100
committer	Leonardo Bishop <me@leonardobishop.net>	2025-08-07 15:18:14 +0100
commit	658fbb94d5f0e9c10e8753d227bb16c287065ee1 (patch)
tree	add752297cab2203248ef40dfeec39198f989620 /walrss.service