X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=support%2Fsystemd%2Fpeertube.service;h=00d66b917f7b5d81eeb15477ae937c2e0c9bf547;hb=41cde76bbf5ac16a90b5f158672523069db74009;hp=c1bdcf760b71e74aaf35405e8d6a211990376e26;hpb=2a8c5d0af13f3ccb9a505e1fbc9d324b9d33ba1f;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service
index c1bdcf760..00d66b917 100644
--- a/support/systemd/peertube.service
+++ b/support/systemd/peertube.service
@@ -8,17 +8,12 @@ Environment=NODE_ENV=production
 Environment=NODE_CONFIG_DIR=/var/www/peertube/config
 User=peertube
 Group=peertube
-ExecStart=/usr/bin/npm start
+ExecStart=/usr/bin/node dist/server
 WorkingDirectory=/var/www/peertube/peertube-latest
-StandardOutput=syslog
-StandardError=syslog
 SyslogIdentifier=peertube
 Restart=always
 
 ; Some security directives.
-; Use private /tmp and /var/tmp folders inside a new file system namespace,
-; which are discarded after the process stops.
-PrivateTmp=true
 ; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
 ProtectSystem=full
 ; Sets up a new /dev mount for the process and only adds API pseudo devices
@@ -28,6 +23,11 @@ PrivateDevices=false
 ; Ensures that the service process and all its children can never gain new
 ; privileges through execve().
 NoNewPrivileges=true
+; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
+; by this unit. Make sure that you do not depend on data inside these folders.
+ProtectHome=true
+; Drops the sys admin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
 
 [Install]
 WantedBy=multi-user.target