cozy-stack/repos/community-x86_64/cozy-stack.service

   1 [Unit]
   2 Description=Cozy service
   3 Wants=couchdb.service
   4 After=network.target couchdb.service
   5
   6 [Service]
   7 User=cozy
   8 Group=cozy
   9 PermissionsStartOnly=true
  10 WorkingDirectory=~
  11 StateDirectory=cozy
  12 ExecStart=/usr/bin/cozy-stack serve
  13 Restart=always
  14 AmbientCapabilities=
  15 CapabilityBoundingSet=
  16 LockPersonality=true
  17 #Not compatible with NodeJS
  18 #MemoryDenyWriteExecute=true
  19 NoNewPrivileges=True
  20 PrivateDevices=true
  21 PrivateTmp=true
  22 PrivateUsers=true
  23 ProtectClock=true
  24 ProtectControlGroups=true
  25 ProtectHome=true
  26 ProtectHostname=true
  27 ProtectKernelLogs=true
  28 ProtectKernelModules=true
  29 ProtectKernelTunables=true
  30 ProtectProc=invisible
  31 ProtectSystem=strict
  32 RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
  33 RestrictNamespaces=true
  34 RestrictRealtime=true
  35 RestrictSUIDSGID=true
  36 #SecureBits=noroot-locked
  37 SystemCallArchitectures=native
  38 SystemCallFilter=@system-service
  39 SystemCallErrorNumber=EPERM
  40
  41 [Install]
  42 WantedBy=multi-user.target