mirror of
https://github.com/zrepl/zrepl.git
synced 2024-11-22 00:13:52 +01:00
34 lines
987 B
Desktop File
34 lines
987 B
Desktop File
[Unit]
|
|
Description=zrepl daemon
|
|
Documentation=https://zrepl.github.io
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStartPre=/usr/local/bin/zrepl --config /etc/zrepl/zrepl.yml configcheck
|
|
ExecStart=/usr/local/bin/zrepl --config /etc/zrepl/zrepl.yml daemon
|
|
RuntimeDirectory=zrepl zrepl/stdinserver
|
|
RuntimeDirectoryMode=0700
|
|
|
|
ProtectSystem=strict
|
|
#PrivateDevices=yes # TODO ZFS needs access to /dev/zfs, could we limit this?
|
|
ProtectKernelTunables=yes
|
|
ProtectControlGroups=yes
|
|
PrivateTmp=yes
|
|
#PrivateUsers=yes # TODO Does not work, why?
|
|
ProtectKernelModules=true
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=yes
|
|
SystemCallArchitectures=native
|
|
|
|
ProtectHome=read-only
|
|
# ProtectHome=tmpfs totally possible, not by default though because of Debian stretch
|
|
|
|
# SystemCallFilter
|
|
# ~@privileged doesn't work with Ubuntu 18.04 ssh
|
|
SystemCallFilter=~ @mount @cpu-emulation @keyring @module @obsolete @raw-io @debug @clock @resources
|
|
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|