add sample systemd files
This commit is contained in:
juancwu
parent
f690d10ead
commit
86925ae262
3 changed files with 116 additions and 0 deletions
38
contrib/systemd/cubby.service
Normal file
38
contrib/systemd/cubby.service
Normal file
|
|
@ -0,0 +1,38 @@
|
|||
[Unit]
|
||||
Description=Cubby in-memory key-value cache (system-wide)
|
||||
Documentation=https://git.juancwu.dev/juancwu/cubby
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
# Run as a dedicated user. Create with:
|
||||
# sudo useradd --system --no-create-home --shell /usr/sbin/nologin cubby
|
||||
User=cubby
|
||||
Group=cubby
|
||||
|
||||
# Path to the cubby binary. Build with:
|
||||
# go build -o /usr/local/bin/cubby ./cmd/cubby
|
||||
ExecStart=/usr/local/bin/cubby -socket /run/cubby/cubby.sock -group cubby
|
||||
|
||||
# /run/cubby/ is created automatically and owned by User/Group above.
|
||||
RuntimeDirectory=cubby
|
||||
RuntimeDirectoryMode=0755
|
||||
|
||||
Restart=on-failure
|
||||
RestartSec=2s
|
||||
|
||||
# Hardening
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
RestrictNamespaces=true
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Loading…
Add table
Add a link
Reference in a new issue