]>
Commit | Line | Data |
---|---|---|
1 | [Unit] | |
2 | Description=PeerTube daemon | |
3 | After=network.target postgresql.service redis-server.service | |
4 | ||
5 | [Service] | |
6 | Type=simple | |
7 | Environment=NODE_ENV=production | |
8 | Environment=NODE_CONFIG_DIR=/var/www/peertube/config | |
9 | User=peertube | |
10 | Group=peertube | |
11 | ExecStart=/usr/bin/node dist/server | |
12 | WorkingDirectory=/var/www/peertube/peertube-latest | |
13 | SyslogIdentifier=peertube | |
14 | Restart=always | |
15 | ||
16 | ; Some security directives. | |
17 | ; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. | |
18 | ProtectSystem=full | |
19 | ; Sets up a new /dev mount for the process and only adds API pseudo devices | |
20 | ; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled | |
21 | ; by default because it may not work on devices like the Raspberry Pi. | |
22 | PrivateDevices=false | |
23 | ; Ensures that the service process and all its children can never gain new | |
24 | ; privileges through execve(). | |
25 | NoNewPrivileges=true | |
26 | ; This makes /home, /root, and /run/user inaccessible and empty for processes invoked | |
27 | ; by this unit. Make sure that you do not depend on data inside these folders. | |
28 | ProtectHome=true | |
29 | ; Drops the sys admin capability from the daemon. | |
30 | CapabilityBoundingSet=~CAP_SYS_ADMIN | |
31 | ||
32 | [Install] | |
33 | WantedBy=multi-user.target |