| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 |
- [Unit]
- Description=Emergency Access Key Server
- After=network.target
- Wants=network.target
- [Service]
- Type=simple
- User=emergency-access
- Group=emergency-access
- WorkingDirectory=/opt/emergency-access
- Environment=EMERGENCY_CONFIG=/etc/emergency-access/config.json
- Environment=PYTHONPATH=/opt/emergency-access
- Environment=NTFY_CONFIG=/etc/emergency-access/ntfy.yml
- ExecStart=/opt/emergency-access/venv/bin/python /opt/emergency-access/main.py
- ExecReload=/bin/kill -HUP $MAINPID
- Restart=always
- RestartSec=5
- StartLimitIntervalSec=300
- StartLimitBurst=5
- StandardOutput=journal
- StandardError=journal
- SyslogIdentifier=emergency-access
- # Security settings
- NoNewPrivileges=true
- ProtectSystem=strict
- ProtectHome=true
- ReadWritePaths=/var/log
- ReadOnlyPaths=/etc/emergency-access
- PrivateTmp=true
- ProtectKernelTunables=true
- ProtectKernelModules=true
- ProtectControlGroups=true
- RestrictRealtime=true
- RestrictNamespaces=true
- LockPersonality=true
- MemoryDenyWriteExecute=true
- RestrictSUIDSGID=true
- # Monitoring and health
- WatchdogSec=30
- NotifyAccess=main
- KillMode=mixed
- TimeoutStopSec=10
- # Network restrictions - allow localhost only (Caddy reverse proxy)
- IPAddressDeny=any
- IPAddressAllow=localhost
- IPAddressAllow=127.0.0.0/8
- [Install]
- WantedBy=multi-user.target
|
