charm/trunk/systemd.service

   1 [Unit]
   2 Description=The mystical Charm Cloud 🌟
   3 Documentation=https://github.com/charmbracelet/charm
   4 Requires=network-online.target
   5 After=network-online.target
   6
   7 [Service]
   8 Type=simple
   9 User=charm
  10 Group=charm
  11 Restart=always
  12 RestartSec=1
  13 ExecStart=/usr/bin/charm serve
  14 EnvironmentFile=-/etc/charm.conf
  15
  16 # Hardening
  17 ReadWritePaths=/var/lib/charm
  18 UMask=0027
  19 NoNewPrivileges=true
  20 LimitNOFILE=1048576
  21 ProtectSystem=strict
  22 ProtectHome=true
  23 PrivateUsers=yes
  24 PrivateTmp=true
  25 PrivateDevices=true
  26 ProtectHostname=true
  27 ProtectClock=true
  28 ProtectKernelTunables=true
  29 ProtectKernelModules=true
  30 ProtectKernelLogs=true
  31 ProtectControlGroups=true
  32 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
  33 RestrictNamespaces=true
  34 LockPersonality=true
  35 MemoryDenyWriteExecute=true
  36 RestrictRealtime=true
  37 RestrictSUIDSGID=true
  38 RemoveIPC=true
  39 CapabilityBoundingSet=
  40 AmbientCapabilities=
  41 SystemCallFilter=@system-service
  42 SystemCallFilter=~@privileged @resources
  43 SystemCallArchitectures=native
  44
  45 [Install]
  46 WantedBy=multi-user.target