| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 |
- [Unit]
- Description=listmonk mailing list and newsletter manager (%I)
- ConditionPathExists=/etc/listmonk/%i.toml
- Wants=network.target
- # The PostgreSQL database may not be on the same host but if it
- # is listmonk should wait for it to start up.
- After=postgresql.service
- [Service]
- Type=simple
- EnvironmentFile=-/etc/default/listmonk
- EnvironmentFile=-/etc/default/listmonk-%i
- ExecStartPre=/usr/bin/mkdir -p "${HOME}/uploads"
- ExecStartPre=/usr/bin/listmonk --config /etc/listmonk/%i.toml --upgrade --yes
- ExecStart=/usr/bin/listmonk --config /etc/listmonk/%i.toml $SYSTEMD_LISTMONK_ARGS
- Restart=on-failure
- # Create dynamic users for listmonk service instances
- # but create a state directory for uploads in /var/lib/private/%i.
- DynamicUser=True
- StateDirectory=listmonk-%i
- Environment=HOME=%S/listmonk-%i
- WorkingDirectory=%S/listmonk-%i
- # Use systemd’s ability to disable security-sensitive features
- # that listmonk does not explicitly need.
- # NoNewPrivileges should be enabled by DynamicUser=yes but systemd-analyze
- # still recommended to explicitly enable it.
- NoNewPrivileges=True
- # listmonk doesn’t need any capabilities as defined by the linux kernel
- # see: https://man7.org/linux/man-pages/man7/capabilities.7.html
- CapabilityBoundingSet=
- # listmonk only executes native code with no need for any other ABIs.
- SystemCallArchitectures=native
- # Only enable a reasonable set of system calls.
- # see: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
- SystemCallFilter=@system-service
- SystemCallFilter=~@privileged @resources
- # ProtectSystem=strict, which is implied by DynamicUser=True, already disabled write calls
- # to the entire filesystem hierarchy, leaving only /dev/, /proc/, and /sys/ writable.
- # listmonk doesn’t need access to those so might as well disable them.
- PrivateDevices=True
- ProtectControlGroups=True
- ProtectKernelTunables=True
- # Make /home/, /root/, and /run/user/ inaccessible.
- ProtectHome=True
- # listmonk doesn’t handle any specific device nodes.
- DeviceAllow=False
- # listmonk doesn’t make use of linux namespaces.
- RestrictNamespaces=True
- # listmonk doesn’t need realtime scheduling.
- RestrictRealtime=True
- # Make sure files created by listmonk are only readable by itself and
- # others in the listmonk system group.
- UMask=0027
- # Disable memory mappings that are both writable and executable.
- MemoryDenyWriteExecute=True
- # listmonk doesn’t make use of linux personality switching.
- LockPersonality=True
- # listmonk only needs to support the IPv4 and IPv6 address families.
- RestrictAddressFamilies=AF_INET AF_INET6
- # listmonk doesn’t need to load any linux kernel modules.
- ProtectKernelModules=True
- # Create a sandboxed environment where the system users are mapped to a
- # service-specific linux kernel namespace.
- PrivateUsers=True
- [Install]
- WantedBy=multi-user.target
|
