Blame onionbalance.service
|
mh |
d91cc48 |
# OnionBalance systemd target
|
|
mh |
d91cc48 |
|
|
mh |
d91cc48 |
[Unit]
|
|
mh |
d91cc48 |
Description=OnionBalance - Tor Onion Service load balancer
|
|
mh |
d91cc48 |
Documentation=https://github.com/DonnchaC/onionbalance
|
|
mh |
d91cc48 |
After=network.target tor.service tor@.service tor-master.service
|
|
mh |
d91cc48 |
Wants=network-online.target
|
|
mh |
d91cc48 |
ConditionPathExists=/etc/onionbalance/config.yaml
|
|
mh |
d91cc48 |
|
|
mh |
d91cc48 |
[Service]
|
|
mh |
d91cc48 |
Type=simple
|
|
mh |
d91cc48 |
Environment="ONIONBALANCE_LOG_LOCATION=/var/log/onionbalance/log"
|
|
mh |
d91cc48 |
ExecStart=/usr/bin/onionbalance -c /etc/onionbalance/config.yaml
|
|
mh |
d91cc48 |
ExecReload=/usr/bin/onionbalance reload
|
|
mh |
d91cc48 |
TimeoutStopSec=5
|
|
mh |
d91cc48 |
KillMode=mixed
|
|
mh |
d91cc48 |
|
|
mh |
d91cc48 |
User=onionbalance
|
|
mh |
d91cc48 |
PermissionsStartOnly=true
|
|
mh |
d91cc48 |
Restart=on-abnormal
|
|
mh |
d91cc48 |
RestartSec=2s
|
|
mh |
d91cc48 |
LimitNOFILE=65536
|
|
mh |
d91cc48 |
|
|
mh |
d91cc48 |
# Hardening
|
|
mh |
d91cc48 |
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FOWNER
|
|
mh |
d91cc48 |
NoNewPrivileges=yes
|
|
mh |
d91cc48 |
PrivateDevices=yes
|
|
mh |
d91cc48 |
PrivateTmp=yes
|
|
mh |
d91cc48 |
ProtectHome=yes
|
|
mh |
d91cc48 |
ProtectSystem=full
|
|
mh |
d91cc48 |
RuntimeDirectory=onionbalance
|
|
mh |
d91cc48 |
ReadOnlyDirectories=/
|
|
mh |
d91cc48 |
ReadWriteDirectories=-/proc
|
|
mh |
d91cc48 |
ReadWriteDirectories=-/var/lib/onionbalance
|
|
mh |
d91cc48 |
ReadWriteDirectories=-/var/log/onionbalance
|
|
mh |
2afb56f |
ReadWriteDirectories=-/run/onionbalance
|
|
mh |
d91cc48 |
|
|
mh |
d91cc48 |
[Install]
|
|
mh |
d91cc48 |
WantedBy=multi-user.target
|