| 1 |
[Unit] |
| 2 |
Description=PoM Health Monitor |
| 3 |
After=network-online.target |
| 4 |
Wants=network-online.target |
| 5 |
|
| 6 |
[Service] |
| 7 |
Type=simple |
| 8 |
User=pom |
| 9 |
Group=pom |
| 10 |
EnvironmentFile=-/etc/pom/env |
| 11 |
Environment=XDG_DATA_HOME=/var/lib |
| 12 |
ExecStart=/usr/local/bin/pom serve --config /etc/pom/pom.toml |
| 13 |
Restart=on-failure |
| 14 |
RestartSec=10 |
| 15 |
|
| 16 |
# Security hardening |
| 17 |
NoNewPrivileges=true |
| 18 |
ProtectSystem=strict |
| 19 |
ProtectHome=true |
| 20 |
PrivateTmp=true |
| 21 |
ReadOnlyPaths=/etc/pom |
| 22 |
ReadWritePaths=/var/lib/pom |
| 23 |
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 |
| 24 |
RestrictNamespaces=true |
| 25 |
RestrictSUIDSGID=true |
| 26 |
LockPersonality=true |
| 27 |
ProtectKernelTunables=true |
| 28 |
ProtectKernelModules=true |
| 29 |
ProtectControlGroups=true |
| 30 |
SystemCallArchitectures=native |
| 31 |
MemoryMax=256M |
| 32 |
|
| 33 |
[Install] |
| 34 |
WantedBy=multi-user.target |
| 35 |
|