icecast/trunk/icecast.service

   1 [Unit]
   2 Description=Icecast Network Audio Streaming Server
   3 After=network.target
   4
   5 [Service]
   6 CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_KILL CAP_SYS_BOOT CAP_LINUX_IMMUTABLE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_IPC_LOCK CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_SYS_PACCT CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM CAP_SYS_NICE CAP_SYS_RESOURCE CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
   7 ExecStart=/usr/bin/icecast -c /etc/icecast.xml
   8 ExecReload=/usr/bin/kill -HUP $MAINPID
   9 Group=icecast
  10 IPAccounting=yes
  11 LogsDirectory=icecast
  12 LockPersonality=true
  13 MemoryDenyWriteExecute=true
  14 NoNewPrivileges=true
  15 PrivateDevices=true
  16 PrivateTmp=true
  17 PrivateUsers=true
  18 ProtectClock=true
  19 ProtectControlGroups=true
  20 ProtectHome=true
  21 ProtectHostname=true
  22 ProtectKernelLogs=true
  23 ProtectKernelModules=true
  24 ProtectKernelTunables=true
  25 ProtectSystem=strict
  26 ReadOnlyPaths=/etc/icecast.xml
  27 RemoveIPC=true
  28 RestrictAddressFamilies=~AF_AX25 AF_IPX AF_APPLETALK AF_X25 AF_DECnet AF_KEY AF_NETLINK AF_PACKET AF_RDS AF_PPPOX AF_LLC AF_IB AF_MPLS AF_CAN AF_TIPC AF_BLUETOOTH AF_ALG AF_VSOCK AF_KCM AF_XDP AF_UNIX
  29 RestrictAddressFamilies=AF_INET AF_INET6
  30 RestrictNamespaces=true
  31 RestrictRealtime=true
  32 RestrictSUIDSGID=true
  33 RuntimeDirectory=icecast
  34 StateDirectory=icecast
  35 SystemCallArchitectures=native
  36 SystemCallFilter=@system-service
  37 SystemCallFilter=~@resources @privileged
  38 Type=exec
  39 UMask=177
  40 User=icecast
  41
  42 [Install]
  43 WantedBy=multi-user.target