| |
@@ -1,22 +1,28 @@
|
| |
[Unit]
|
| |
Description=Radicale CalDAV and CardDAV server
|
| |
- Documentation=http://radicale.org/documentation/
|
| |
- After=network-online.target
|
| |
- Requires=network-online.target
|
| |
+ Documentation=https://radicale.org/3.0.html#documentation
|
| |
+ After=network.target
|
| |
+ Requires=network.target
|
| |
|
| |
[Service]
|
| |
+ ExecStart=/usr/bin/radicale --daemon --pid=/var/run/radicale/radicale.pid
|
| |
+ PIDFile=/var/run/radicale/radicale.pid
|
| |
+ Restart=on-failure
|
| |
Type=forking
|
| |
- WorkingDirectory=/var/lib/radicale
|
| |
User=radicale
|
| |
Group=radicale
|
| |
UMask=0027
|
| |
- PIDFile=/var/run/radicale/radicale.pid
|
| |
- ExecStart=/usr/bin/radicale --daemon --pid=/var/run/radicale/radicale.pid
|
| |
+ WorkingDirectory=/var/lib/radicale
|
| |
PrivateTmp=true
|
| |
- CapabilityBoundingSet=
|
| |
- ProtectSystem=full
|
| |
+ ProtectSystem=strict
|
| |
ProtectHome=true
|
| |
- Restart=on-abnormal
|
| |
+ PrivateDevices=true
|
| |
+ ProtectKernelTunables=true
|
| |
+ ProtectKernelModules=true
|
| |
+ ProtectControlGroups=true
|
| |
+ NoNewPrivileges=true
|
| |
+ CapabilityBoundingSet=
|
| |
+ ReadWritePaths=/var/lib/radicale/
|
| |
|
| |
[Install]
|
| |
WantedBy=multi-user.target
|
| |
till
commented 2 years ago
Follow most recommendations at https://radicale.org/3.0.html#tutorials/running-as-a-service/linux-with-systemd-system-wide:
- Use more/stricter security settings
- Use ReadWritePaths=/var/lib/radicale/ to support git hooks as reported in https://github.com/Kozea/Radicale/issues/1153
- Adjust Restart policy