gtsocial-umbx

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

gotosocial.service (2116B)

      1 [Unit]
      2 Description=GoToSocial Server
      3 
      4 [Service]
      5 
      6 # make sure this user and group exist and have read and write permissions in your GoToSocial folder.
      7 # if they do not exist yet create them with "sudo useradd -r gotosocial"
      8 # then give them permission with "chown -R gotosocial:gotosocial /gotosocial" (path to your gotosocial folder)
      9 # you can adjust the users name according to your setup
     10 User=gotosocial
     11 Group=gotosocial
     12 
     13 Type=exec
     14 Restart=on-failure
     15 
     16 # change if your path to the GoToSocial binary is different
     17 ExecStart=/gotosocial/gotosocial --config-path config.yaml server start
     18 WorkingDirectory=/gotosocial
     19 
     20 # Sandboxing options to harden security
     21 # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
     22 NoNewPrivileges=yes
     23 PrivateTmp=yes
     24 PrivateDevices=yes
     25 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
     26 RestrictNamespaces=yes
     27 RestrictRealtime=yes
     28 DevicePolicy=closed
     29 ProtectSystem=full
     30 ProtectControlGroups=yes
     31 ProtectKernelModules=yes
     32 ProtectKernelTunables=yes
     33 LockPersonality=yes
     34 SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
     35 
     36 # Denying access to capabilities that should not be relevant
     37 # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
     38 CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
     39 CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
     40 CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
     41 CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
     42 CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
     43 CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
     44 CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
     45 CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
     46 CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
     47 # You might need this if you are running as non-root on a privileged port (below 1024)
     48 #AmbientCapabilities=CAP_NET_BIND_SERVICE
     49 
     50 
     51 [Install]
     52 WantedBy=default.target
     53 
     54 # After you are done editing this file move it to "/etc/systemd/system/gotosocial.service" and enable the service with "sudo systemctl enable --now gotosocial.service"