max / makenotwork

1.7 KB · 65 lines History Blame Raw

1	# Makenotwork systemd service
2	# Place in /etc/systemd/system/makenotwork.service
3	#
4	# Commands:
5	# sudo systemctl daemon-reload
6	# sudo systemctl enable makenotwork
7	# sudo systemctl start makenotwork
8	# sudo systemctl status makenotwork
9	# journalctl -u makenotwork -f
10
11	[Unit]
12	Description=Makenotwork - Fair creator platform
13	Documentation=https://makenot.work/docs
14	After=network.target postgresql.service
15	Requires=postgresql.service
16
17	[Service]
18	Type=simple
19	User=makenotwork
20	Group=makenotwork
21	WorkingDirectory=/opt/makenotwork
22	ExecStart=/opt/makenotwork/makenotwork
23	Restart=always
24	RestartSec=5
25	# Exit code 2 = migration failure. Don't restart — operator must intervene.
26	RestartPreventExitStatus=2
27
28	# Environment file with secrets
29	EnvironmentFile=/opt/makenotwork/.env
30	Environment=HOME=/opt/makenotwork
31
32	# Security hardening
33	NoNewPrivileges=true
34	ProtectSystem=strict
35	ProtectHome=true
36	PrivateTmp=true
37	ReadWritePaths=/opt/makenotwork
38	# Scan-spool tempfiles for streaming large uploads through the malware
39	# pipeline. systemd creates /var/lib/makenotwork/scan-spool, chowns to
40	# the service user, and adds it to ReadWritePaths automatically. Path
41	# is mirrored in `constants::SCAN_SPOOL_DIR`.
42	StateDirectory=makenotwork/scan-spool
43	StateDirectoryMode=0700
44	RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
45	RestrictNamespaces=true
46	RestrictRealtime=true
47	RestrictSUIDSGID=true
48	LockPersonality=true
49	ProtectKernelTunables=true
50	ProtectKernelModules=true
51	ProtectControlGroups=true
52	SystemCallArchitectures=native
53
54	# Resource limits
55	LimitNOFILE=65535
56	MemoryMax=512M
57
58	# Logging (goes to journald)
59	StandardOutput=journal
60	StandardError=journal
61	SyslogIdentifier=makenotwork
62
63	[Install]
64	WantedBy=multi-user.target
65