hedgedoc/trunk/hedgedoc.service

   1 [Unit]
   2 Description=Hedgedoc real-time collaborative markdown editor
   3 After=network.target
   4
   5 [Service]
   6 Type=exec
   7
   8 Environment=NODE_ENV=production
   9
  10 Restart=always
  11 RestartSec=2s
  12
  13 User=hedgedoc
  14 Group=hedgedoc
  15
  16 WorkingDirectory=/usr/share/webapps/hedgedoc
  17 ExecStart=/usr/bin/node app.js
  18
  19 CapabilityBoundingSet=
  20 NoNewPrivileges=true
  21 PrivateDevices=true
  22 RemoveIPC=true
  23 LockPersonality=true
  24
  25 ProtectControlGroups=true
  26 ProtectKernelTunables=true
  27 ProtectKernelModules=true
  28 ProtectKernelLogs=true
  29 ProtectClock=true
  30 ProtectHostname=true
  31 ProtectProc=noaccess
  32
  33 RestrictRealtime=true
  34 RestrictSUIDSGID=true
  35 RestrictNamespaces=true
  36 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
  37
  38 ProtectSystem=strict
  39 ProtectHome=true
  40 PrivateTmp=true
  41 ReadWritePaths=/var/lib/hedgedoc /run/hedgedoc
  42
  43 SystemCallArchitectures=native
  44 SystemCallFilter=@system-service @pkey
  45
  46 [Install]
  47 WantedBy=multi-user.target