max / makenotwork

1.1 KB · 50 lines History Blame Raw

1	[Unit]
2	Description=MNW CLI SSH Server
3	Documentation=https://makenot.work/docs
4	After=network.target makenotwork.service
5	Wants=network-online.target
6
7	[Service]
8	Type=simple
9	User=mnw-cli
10	Group=mnw-cli
11	WorkingDirectory=/opt/mnw-cli
12	ExecStart=/opt/mnw-cli/mnw-cli
13	Restart=always
14	RestartSec=5
15
16	# Environment
17	EnvironmentFile=/opt/mnw-cli/.env
18	Environment=HOME=/opt/mnw-cli
19
20	# Security hardening
21	# NoNewPrivileges and RestrictSUIDSGID must be false because mnw-cli
22	# spawns git operations via sudo -u git (requires setuid escalation).
23	NoNewPrivileges=false
24	ProtectSystem=strict
25	ProtectHome=true
26	PrivateTmp=true
27	ReadWritePaths=/opt/mnw-cli /var/lib/mnw-cli /var/lib/mnw
28	RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
29	RestrictNamespaces=true
30	RestrictRealtime=true
31	RestrictSUIDSGID=false
32	LockPersonality=true
33	ProtectKernelTunables=true
34	ProtectKernelModules=true
35	ProtectControlGroups=true
36	SystemCallArchitectures=native
37
38	# Resource limits
39	LimitNOFILE=4096
40	MemoryMax=512M
41	TasksMax=512
42
43	# Logging
44	StandardOutput=journal
45	StandardError=journal
46	SyslogIdentifier=mnw-cli
47
48	[Install]
49	WantedBy=multi-user.target
50