couchdb/repos/community-x86_64/couchdb.service

   1 [Unit]
   2 Description=CouchDB Server
   3
   4 [Service]
   5 User=couchdb
   6 Group=couchdb
   7 Type=simple
   8 WorkingDirectory=~
   9 StateDirectory=couchdb
  10 EnvironmentFile=/etc/default/couchdb
  11 ExecStart=/usr/lib/couchdb/bin/couchdb
  12 ReadWritePaths=/etc/couchdb/local.ini
  13 Restart=always
  14 RestartSec=2s
  15 AmbientCapabilities=
  16 CapabilityBoundingSet=
  17 LockPersonality=true
  18 # Not compatible with the use of JS
  19 #MemoryDenyWriteExecute=true
  20 NoNewPrivileges=True
  21 PrivateDevices=true
  22 PrivateTmp=true
  23 PrivateUsers=true
  24 ProtectClock=true
  25 ProtectControlGroups=yes
  26 ProtectHome=true
  27 ProtectHostname=true
  28 ProtectKernelLogs=true
  29 ProtectKernelModules=yes
  30 ProtectKernelTunables=true
  31 ProtectProc=invisible
  32 ProtectSystem=strict
  33 RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
  34 RestrictNamespaces=true
  35 RestrictRealtime=true
  36 RestrictSUIDSGID=true
  37 SystemCallArchitectures=native
  38 SystemCallFilter=@system-service
  39 SystemCallErrorNumber=EPERM
  40
  41 [Install]
  42 WantedBy=multi-user.target