2019-03-16 16:02:21 +01:00
|
|
|
[Unit]
|
|
|
|
|
Description=zrepl daemon
|
|
|
|
|
Documentation=https://zrepl.github.io
|
|
|
|
|
|
|
|
|
|
[Service]
|
|
|
|
|
Type=simple
|
2019-10-25 16:44:55 +02:00
|
|
|
ExecStartPre=/usr/local/bin/zrepl --config /etc/zrepl/zrepl.yml configcheck
|
2019-03-16 16:02:21 +01:00
|
|
|
ExecStart=/usr/local/bin/zrepl --config /etc/zrepl/zrepl.yml daemon
|
2019-10-25 16:44:55 +02:00
|
|
|
RuntimeDirectory=zrepl zrepl/stdinserver
|
2019-03-16 16:02:21 +01:00
|
|
|
RuntimeDirectoryMode=0700
|
|
|
|
|
|
|
|
|
|
ProtectSystem=strict
|
|
|
|
|
#PrivateDevices=yes # TODO ZFS needs access to /dev/zfs, could we limit this?
|
|
|
|
|
ProtectKernelTunables=yes
|
|
|
|
|
ProtectControlGroups=yes
|
|
|
|
|
PrivateTmp=yes
|
|
|
|
|
#PrivateUsers=yes # TODO Does not work, why?
|
|
|
|
|
ProtectKernelModules=true
|
|
|
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
|
|
|
RestrictNamespaces=true
|
|
|
|
|
RestrictRealtime=yes
|
|
|
|
|
SystemCallArchitectures=native
|
|
|
|
|
|
2019-10-06 13:12:19 +02:00
|
|
|
ProtectHome=read-only
|
2019-11-20 18:42:53 +01:00
|
|
|
# ProtectHome=tmpfs totally possible, not by default though because of Debian stretch
|
|
|
|
|
|
|
|
|
|
# SystemCallFilter
|
|
|
|
|
# ~@privileged doesn't work with Ubuntu 18.04 ssh
|
|
|
|
|
SystemCallFilter=~ @mount @cpu-emulation @keyring @module @obsolete @raw-io @debug @clock @resources
|
2019-03-16 16:02:21 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
|
WantedBy=multi-user.target
|
