Changeset

2351:f8ecb4b248b0

misc: An experimental systemd service file
author Kim Alvefur <zash@zash.se>
date Tue, 08 Nov 2016 00:09:06 +0100
parents 2350:67990e045d4f
children 2352:3296a09b4e57
files misc/systemd/prosody.service
diffstat 1 files changed, 72 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/misc/systemd/prosody.service	Tue Nov 08 00:09:06 2016 +0100
@@ -0,0 +1,72 @@
+[Unit]
+### see man systemd.unit
+Description=Prosody XMPP Server
+Documentation=https://prosody.im/doc
+
+[Service]
+### See man systemd.service ###
+# With this configuration, systemd takes care of daemonization
+# so Prosody should be configured with daemonize = false
+Type=simple
+
+# Not sure if this is needed for 'simple'
+PIDFile=/var/run/prosody/prosody.pid
+
+# Start by executing the main executable
+ExecStart=/usr/bin/prosody
+
+ExecReload=/bin/kill -HUP $MAINPID
+
+# Restart on crashes
+Restart=on-abnormal
+
+# Set O_NONBLOCK flag on sockets passed via socket activation
+NonBlocking=true
+
+### See man systemd.exec ###
+
+WorkingDirectory=/var/lib/prosody
+
+User=prosody
+Group=prosody
+
+Umask=0027
+
+# Nice=0
+
+# Set stdin to /dev/null since Prosody does not need it
+StandardInput=null
+
+# Direct stdout/-err to journald for use with log = "*stdout"
+StandardOutput=journal
+StandardError=inherit
+
+# This usually defaults to 4k or so
+# LimitNOFILE=1M
+
+## Interesting protection methods
+# Finding a useful combo of these settings would be nice
+#
+# Needs read access to /etc/prosody for config
+# Needs write access to /var/lib/prosody for storing data (for internal storage)
+# Needs write access to /var/log/prosody for writing logs (depending on config)
+# Needs read access to code and libraries loaded
+
+# ReadWriteDirectories=/var/lib/prosody /var/log/prosody
+# InaccessibleDirectories=/boot /home /media /mnt /root /srv
+# ReadOnlyDirectories=/usr /etc/prosody
+
+# PrivateTmp=true
+# PrivateDevices=true
+# PrivateNetwork=false
+
+# ProtectSystem=full
+# ProtectHome=true
+# ProtectKernelTunables=true
+# ProtectControlGroups=true
+# SystemCallFilter=
+
+# This should break LuaJIT
+# MemoryDenyWriteExecute=true
+
+