Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-backup/restic-rest-server/files/restic-rest-server.service
diff options
context:
space:
mode:
Diffstat (limited to 'app-backup/restic-rest-server/files/restic-rest-server.service')
-rw-r--r--app-backup/restic-rest-server/files/restic-rest-server.service81
1 files changed, 81 insertions, 0 deletions
diff --git a/app-backup/restic-rest-server/files/restic-rest-server.service b/app-backup/restic-rest-server/files/restic-rest-server.service
new file mode 100644
index 0000000..2520cc5
--- /dev/null
+++ b/app-backup/restic-rest-server/files/restic-rest-server.service
@@ -0,0 +1,81 @@
+[Unit]
+Description=Restic REST Server
+After=syslog.target
+After=network.target
+Requires=restic-rest-server.socket
+After=restic-rest-server.socket
+
+[Service]
+Type=simple
+# You may prefer to use a different user or group on your system.
+User=restic-rest-server
+Group=restic-rest-server
+ExecStart=/usr/bin/rest-server --path /var/lib/restic-rest-server
+Restart=always
+RestartSec=5
+
+# The following options are available (in systemd v247) to restrict the
+# actions of the rest-server.
+
+# As a whole, the purpose of these are to provide an additional layer of
+# security by mitigating any unknown security vulnerabilities which may exist
+# in rest-server or in the libraries, tools and operating system components
+# which it relies upon.
+
+# IMPORTANT!
+# The following line must be customised to your individual requirements.
+ReadWritePaths=/var/lib/restic-rest-server
+
+# Makes created files group-readable, but inaccessible by others
+UMask=027
+
+# If your system doesn't support all of the features below (e.g. because of
+# the use of an older version of systemd), you may wish to comment-out
+# some of the lines below as appropriate.
+CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=yes
+
+# As the listen socket is created by systemd via the rest-server.socket unit, it is
+# no longer necessary for rest-server to have access to the host network namespace.
+PrivateNetwork=yes
+
+PrivateTmp=yes
+PrivateDevices=true
+PrivateUsers=true
+ProtectSystem=strict
+ProtectHome=yes
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectHostname=true
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictAddressFamilies=none
+RestrictSUIDSGID=true
+RestrictRealtime=true
+# if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+# Additionally, you may wish to use some of the systemd options documented in
+# systemd.resource-control(5) to limit the CPU, memory, file-system I/O and
+# network I/O that the rest-server is permitted to consume according to the
+# individual requirements of your installation.
+#CPUQuota=25%
+#MemoryHigh=bytes
+#MemoryMax=bytes
+#MemorySwapMax=bytes
+#TasksMax=N
+#IOReadBandwidthMax=device bytes
+#IOWriteBandwidthMax=device bytes
+#IOReadIOPSMax=device IOPS, IOWriteIOPSMax=device IOPS
+#IPAccounting=true
+#IPAddressAllow=
+
+[Install]
+WantedBy=multi-user.target