Software /
code /
prosody-modules
Changeset
2351:f8ecb4b248b0
misc: An experimental systemd service file
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 08 Nov 2016 00:09:06 +0100 |
parents | 2350:67990e045d4f |
children | 2352:3296a09b4e57 |
files | misc/systemd/prosody.service |
diffstat | 1 files changed, 72 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/misc/systemd/prosody.service Tue Nov 08 00:09:06 2016 +0100 @@ -0,0 +1,72 @@ +[Unit] +### see man systemd.unit +Description=Prosody XMPP Server +Documentation=https://prosody.im/doc + +[Service] +### See man systemd.service ### +# With this configuration, systemd takes care of daemonization +# so Prosody should be configured with daemonize = false +Type=simple + +# Not sure if this is needed for 'simple' +PIDFile=/var/run/prosody/prosody.pid + +# Start by executing the main executable +ExecStart=/usr/bin/prosody + +ExecReload=/bin/kill -HUP $MAINPID + +# Restart on crashes +Restart=on-abnormal + +# Set O_NONBLOCK flag on sockets passed via socket activation +NonBlocking=true + +### See man systemd.exec ### + +WorkingDirectory=/var/lib/prosody + +User=prosody +Group=prosody + +Umask=0027 + +# Nice=0 + +# Set stdin to /dev/null since Prosody does not need it +StandardInput=null + +# Direct stdout/-err to journald for use with log = "*stdout" +StandardOutput=journal +StandardError=inherit + +# This usually defaults to 4k or so +# LimitNOFILE=1M + +## Interesting protection methods +# Finding a useful combo of these settings would be nice +# +# Needs read access to /etc/prosody for config +# Needs write access to /var/lib/prosody for storing data (for internal storage) +# Needs write access to /var/log/prosody for writing logs (depending on config) +# Needs read access to code and libraries loaded + +# ReadWriteDirectories=/var/lib/prosody /var/log/prosody +# InaccessibleDirectories=/boot /home /media /mnt /root /srv +# ReadOnlyDirectories=/usr /etc/prosody + +# PrivateTmp=true +# PrivateDevices=true +# PrivateNetwork=false + +# ProtectSystem=full +# ProtectHome=true +# ProtectKernelTunables=true +# ProtectControlGroups=true +# SystemCallFilter= + +# This should break LuaJIT +# MemoryDenyWriteExecute=true + +