]>
Commit | Line | Data |
---|---|---|
46889254 C |
1 | [Unit] |
2 | Description=PeerTube daemon | |
9a515f76 | 3 | After=network.target postgresql.service redis-server.service |
46889254 C |
4 | |
5 | [Service] | |
6 | Type=simple | |
7 | Environment=NODE_ENV=production | |
59c48d49 | 8 | Environment=NODE_CONFIG_DIR=/var/www/peertube/config |
d2000ca6 C |
9 | User=peertube |
10 | Group=peertube | |
9e580054 | 11 | ExecStart=/usr/bin/npm start |
59c48d49 | 12 | WorkingDirectory=/var/www/peertube/peertube-latest |
46889254 C |
13 | StandardOutput=syslog |
14 | StandardError=syslog | |
15 | SyslogIdentifier=peertube | |
16 | Restart=always | |
17 | ||
3114c2c2 RK |
18 | ; Some security directives. |
19 | ; Use private /tmp and /var/tmp folders inside a new file system namespace, | |
20 | ; which are discarded after the process stops. | |
21 | PrivateTmp=true | |
22 | ; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. | |
23 | ProtectSystem=full | |
24 | ; Sets up a new /dev mount for the process and only adds API pseudo devices | |
25 | ; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled | |
26 | ; by default because it may not work on devices like the Raspberry Pi. | |
27 | PrivateDevices=false | |
28 | ; Ensures that the service process and all its children can never gain new | |
29 | ; privileges through execve(). | |
30 | NoNewPrivileges=true | |
a46934c8 MK |
31 | ; This makes /home, /root, and /run/user inaccessible and empty for processes invoked |
32 | ; by this unit. Make sure that you do not depend on data inside these folders. | |
33 | ProtectHome=true | |
34 | ; Drops the sys admin capability from the daemon. | |
35 | CapabilityBoundingSet=~CAP_SYS_ADMIN | |
3114c2c2 | 36 | |
46889254 C |
37 | [Install] |
38 | WantedBy=multi-user.target |