| 1 |
[Unit] |
| 2 |
Description=MNW CLI SSH Server |
| 3 |
Documentation=https://makenot.work/docs |
| 4 |
After=network.target makenotwork.service |
| 5 |
Wants=network-online.target |
| 6 |
|
| 7 |
[Service] |
| 8 |
Type=simple |
| 9 |
User=mnw-cli |
| 10 |
Group=mnw-cli |
| 11 |
WorkingDirectory=/opt/mnw-cli |
| 12 |
ExecStart=/opt/mnw-cli/mnw-cli |
| 13 |
Restart=always |
| 14 |
RestartSec=5 |
| 15 |
|
| 16 |
# Environment |
| 17 |
EnvironmentFile=/opt/mnw-cli/.env |
| 18 |
Environment=HOME=/opt/mnw-cli |
| 19 |
|
| 20 |
# Security hardening |
| 21 |
NoNewPrivileges=true |
| 22 |
ProtectSystem=strict |
| 23 |
ProtectHome=true |
| 24 |
PrivateTmp=true |
| 25 |
ReadWritePaths=/opt/mnw-cli /var/lib/mnw-cli |
| 26 |
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 |
| 27 |
RestrictNamespaces=true |
| 28 |
RestrictRealtime=true |
| 29 |
RestrictSUIDSGID=true |
| 30 |
LockPersonality=true |
| 31 |
ProtectKernelTunables=true |
| 32 |
ProtectKernelModules=true |
| 33 |
ProtectControlGroups=true |
| 34 |
SystemCallArchitectures=native |
| 35 |
|
| 36 |
# Resource limits |
| 37 |
LimitNOFILE=4096 |
| 38 |
MemoryMax=512M |
| 39 |
TasksMax=512 |
| 40 |
|
| 41 |
# Logging |
| 42 |
StandardOutput=journal |
| 43 |
StandardError=journal |
| 44 |
SyslogIdentifier=mnw-cli |
| 45 |
|
| 46 |
[Install] |
| 47 |
WantedBy=multi-user.target |
| 48 |
|