[github/Chocobozzz/PeerTube.git] / support / systemd / peertube.service

[Unit]
Description=PeerTube daemon
After=network.target postgresql.service redis-server.service

[Service]
Type=simple
Environment=NODE_ENV=production
Environment=NODE_CONFIG_DIR=/var/www/peertube/config
User=peertube
Group=peertube
ExecStart=/usr/bin/npm start
WorkingDirectory=/var/www/peertube/peertube-latest
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=peertube
Restart=always

; Some security directives.
; Use private /tmp and /var/tmp folders inside a new file system namespace,
; which are discarded after the process stops.
PrivateTmp=true
; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
ProtectSystem=full
; Sets up a new /dev mount for the process and only adds API pseudo devices
; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
; by default because it may not work on devices like the Raspberry Pi.
PrivateDevices=false
; Ensures that the service process and all its children can never gain new
; privileges through execve().
NoNewPrivileges=true
; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
; by this unit. Make sure that you do not depend on data inside these folders.
ProtectHome=true
; Drops the sys admin capability from the daemon.
CapabilityBoundingSet=~CAP_SYS_ADMIN

[Install]
WantedBy=multi-user.target
Commit	Line	Data
46889254 C	1	[Unit]
46889254 C	2	Description=PeerTube daemon
9a515f76	3	After=network.target postgresql.service redis-server.service
46889254 C	4
	5	[Service]
	6	Type=simple
	7	Environment=NODE_ENV=production
59c48d49	8	Environment=NODE_CONFIG_DIR=/var/www/peertube/config
d2000ca6 C	9	User=peertube
d2000ca6 C	10	Group=peertube
9e580054	11	ExecStart=/usr/bin/npm start
59c48d49	12	WorkingDirectory=/var/www/peertube/peertube-latest
46889254 C	13	StandardOutput=syslog
	14	StandardError=syslog
	15	SyslogIdentifier=peertube
	16	Restart=always
	17
3114c2c2 RK	18	; Some security directives.
	19	; Use private /tmp and /var/tmp folders inside a new file system namespace,
	20	; which are discarded after the process stops.
	21	PrivateTmp=true
	22	; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
	23	ProtectSystem=full
	24	; Sets up a new /dev mount for the process and only adds API pseudo devices
	25	; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
	26	; by default because it may not work on devices like the Raspberry Pi.
	27	PrivateDevices=false
	28	; Ensures that the service process and all its children can never gain new
	29	; privileges through execve().
	30	NoNewPrivileges=true
a46934c8 MK	31	; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
	32	; by this unit. Make sure that you do not depend on data inside these folders.
	33	ProtectHome=true
	34	; Drops the sys admin capability from the daemon.
	35	CapabilityBoundingSet=~CAP_SYS_ADMIN
3114c2c2	36
46889254 C	37	[Install]
46889254 C	38	WantedBy=multi-user.target