X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=support%2Fsystemd%2Fpeertube.service;h=00d66b917f7b5d81eeb15477ae937c2e0c9bf547;hb=e874edd9f876df7b4020137b3a9b7feb8078b38f;hp=03ead9fbdab15b8ba6860fa63653fee7b925afd1;hpb=d2000ca6e7fa77758d4f811e4a8af11108d2655d;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/support/systemd/peertube.service b/support/systemd/peertube.service
index 03ead9fbd..00d66b917 100644
--- a/support/systemd/peertube.service
+++ b/support/systemd/peertube.service
@@ -1,19 +1,33 @@
 [Unit]
 Description=PeerTube daemon
-After=network.target
+After=network.target postgresql.service redis-server.service
 
 [Service]
 Type=simple
 Environment=NODE_ENV=production
-Environment=NODE_CONFIG_DIR=/home/peertube/config
+Environment=NODE_CONFIG_DIR=/var/www/peertube/config
 User=peertube
 Group=peertube
-ExecStart=/usr/bin/npm start
-WorkingDirectory=/home/peertube/peertube-latest
-StandardOutput=syslog
-StandardError=syslog
+ExecStart=/usr/bin/node dist/server
+WorkingDirectory=/var/www/peertube/peertube-latest
 SyslogIdentifier=peertube
 Restart=always
 
+; Some security directives.
+; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
+ProtectSystem=full
+; Sets up a new /dev mount for the process and only adds API pseudo devices
+; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
+; by default because it may not work on devices like the Raspberry Pi.
+PrivateDevices=false
+; Ensures that the service process and all its children can never gain new
+; privileges through execve().
+NoNewPrivileges=true
+; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
+; by this unit. Make sure that you do not depend on data inside these folders.
+ProtectHome=true
+; Drops the sys admin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+
 [Install]
 WantedBy=multi-user.target