From a6d1ae443e4e613008b2b349bdbb49591cbc1626 Mon Sep 17 00:00:00 2001 From: nico Date: Wed, 10 Jun 2020 12:00:12 +0200 Subject: systemd service hardening + add systemd protective features to restrict the system access + add service documentation link + add service required / after fields --- contrib/init/linux-systemd/ejabberd-influxdb.service | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'contrib/init/linux-systemd/ejabberd-influxdb.service') diff --git a/contrib/init/linux-systemd/ejabberd-influxdb.service b/contrib/init/linux-systemd/ejabberd-influxdb.service index 364b574..6b711b6 100644 --- a/contrib/init/linux-systemd/ejabberd-influxdb.service +++ b/contrib/init/linux-systemd/ejabberd-influxdb.service @@ -1,5 +1,8 @@ [Unit] Description=ejabberd influxdb exporter +Documentation=https://dev.sum7.eu/sum7/ejabberd-tools/-/blob/master/README.md +After=influxdb.service +Requires=ejabberd.service influxdb.service [Service] Type=simple @@ -8,6 +11,13 @@ Group=nogroup Environment="PATH=/opt/ejabberd-tools/venv/bin:/usr/local/bin:/usr/bin:/bin" ExecStart=/opt/ejabberd-tools/influx.py WorkingDirectory=/opt/ejabberd-tools/ +PrivateDevices=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=yes +ProtectSystem=full +NoNewPrivileges=yes Restart=always RestartSec=5s -- cgit v1.2.3-54-g00ecf