52 lines
1023 B
Desktop File
52 lines
1023 B
Desktop File
[Unit]
|
|
Description=bal-server daemon
|
|
After=network.target
|
|
|
|
[Service]
|
|
|
|
# Service execution
|
|
###################
|
|
EnvironmentFile=/home/bal/bal-server.env
|
|
|
|
ExecStart=/usr/local/bin/bal-server
|
|
|
|
SyslogIdentifier=bal-server
|
|
|
|
# Process management
|
|
####################
|
|
Type=simple
|
|
PIDFile=/run/bal-server/bal-server.pid
|
|
Restart=always
|
|
TimeoutSec=300
|
|
RestartSec=30
|
|
|
|
# Directory creation and permissions
|
|
####################################
|
|
User=bal
|
|
UMask=0027
|
|
|
|
# /run/bal-server
|
|
RuntimeDirectory=bal-server
|
|
RuntimeDirectoryMode=0710
|
|
|
|
# Hardening measures
|
|
####################
|
|
|
|
# Mount /usr, /boot/ and /etc read-only for the process.
|
|
ProtectSystem=full
|
|
|
|
# Disallow the process and all of its children to gain
|
|
# new privileges through execve().
|
|
NoNewPrivileges=true
|
|
|
|
# Use a new /dev namespace only populated with API pseudo devices
|
|
# such as /dev/null, /dev/zero and /dev/random.
|
|
PrivateDevices=true
|
|
|
|
# Deny the creation of writable and executable memory mappings.
|
|
MemoryDenyWriteExecute=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|