首頁 探索 說明
登入
albin
/
emergency-access
1
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: 8f67d7b2b5
分支列表 標籤列表
emergency-acces...
/
emergency-access.service

emergency-access.service 1.0 KB
文件歷史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243 
  1. [Unit]
    2. 

  2. Description=Emergency Access Key Server
    3. 

  3. After=network.target
    4. 

  4. Wants=network.target
    5. 

  5. 

  6. [Service]
    7. 

  7. Type=simple
    8. 

  8. User=emergency-access
    9. 

  9. Group=emergency-access
    10. 

  10. WorkingDirectory=/opt/emergency-access
    11. 

  11. Environment=EMERGENCY_CONFIG=/etc/emergency-access/config.json
    12. 

  12. Environment=PYTHONPATH=/opt/emergency-access
    13. 

  13. Environment=NTFY_CONFIG=/etc/emergency-access/ntfy.yml
    14. 

  14. ExecStart=/opt/emergency-access/venv/bin/python /opt/emergency-access/main.py
    15. 

  15. ExecReload=/bin/kill -HUP $MAINPID
    16. 

  16. Restart=always
    17. 

  17. RestartSec=5
    18. 

  18. StandardOutput=journal
    19. 

  19. StandardError=journal
    20. 

  20. 

  21. # Security settings
    22. 

  22. NoNewPrivileges=true
    23. 

  23. ProtectSystem=strict
    24. 

  24. ProtectHome=true
    25. 

  25. ReadWritePaths=/var/log
    26. 

  26. ReadOnlyPaths=/etc/emergency-access
    27. 

  27. PrivateTmp=true
    28. 

  28. ProtectKernelTunables=true
    29. 

  29. ProtectKernelModules=true
    30. 

  30. ProtectControlGroups=true
    31. 

  31. RestrictRealtime=true
    32. 

  32. RestrictNamespaces=true
    33. 

  33. LockPersonality=true
    34. 

  34. MemoryDenyWriteExecute=true
    35. 

  35. RestrictSUIDSGID=true
    36. 

  36. 

  37. # Network restrictions - allow localhost only (Caddy reverse proxy)
    38. 

  38. IPAddressDeny=any
    39. 

  39. IPAddressAllow=localhost
    40. 

  40. IPAddressAllow=127.0.0.0/8
    41. 

  41. 

  42. [Install]
    43. 

  43. WantedBy=multi-user.target
    44.