Mercurial > prosody-modules
annotate misc/systemd/prosody.service @ 5401:c8d04ac200fc
mod_http_oauth2: Reject loopback URIs as client_uri
This really should be a proper website with info, https://localhost is
not good enough. Ideally we'd validate that it's got proper DNS and is
actually reachable, but triggering HTTP or even DNS lookups seems like
it would carry abuse potential that would best to avoid.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 02 May 2023 16:20:55 +0200 |
| parents | f8ecb4b248b0 |
| children | bf5370a40a15 |
| rev | line source |
|---|---|
|
2351
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 [Unit] |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 ### see man systemd.unit |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 Description=Prosody XMPP Server |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 Documentation=https://prosody.im/doc |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 [Service] |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 ### See man systemd.service ### |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 # With this configuration, systemd takes care of daemonization |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 # so Prosody should be configured with daemonize = false |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 Type=simple |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 # Not sure if this is needed for 'simple' |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 PIDFile=/var/run/prosody/prosody.pid |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 # Start by executing the main executable |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 ExecStart=/usr/bin/prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 ExecReload=/bin/kill -HUP $MAINPID |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 # Restart on crashes |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 Restart=on-abnormal |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 # Set O_NONBLOCK flag on sockets passed via socket activation |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 NonBlocking=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 ### See man systemd.exec ### |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 WorkingDirectory=/var/lib/prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 User=prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 Group=prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 Umask=0027 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 # Nice=0 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 # Set stdin to /dev/null since Prosody does not need it |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 StandardInput=null |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 # Direct stdout/-err to journald for use with log = "*stdout" |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 StandardOutput=journal |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 StandardError=inherit |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 # This usually defaults to 4k or so |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 # LimitNOFILE=1M |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 ## Interesting protection methods |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 # Finding a useful combo of these settings would be nice |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 # |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 # Needs read access to /etc/prosody for config |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 # Needs write access to /var/lib/prosody for storing data (for internal storage) |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 # Needs write access to /var/log/prosody for writing logs (depending on config) |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 # Needs read access to code and libraries loaded |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 # ReadWriteDirectories=/var/lib/prosody /var/log/prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 # InaccessibleDirectories=/boot /home /media /mnt /root /srv |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 # ReadOnlyDirectories=/usr /etc/prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 # PrivateTmp=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 # PrivateDevices=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 # PrivateNetwork=false |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 # ProtectSystem=full |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 # ProtectHome=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 # ProtectKernelTunables=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 # ProtectControlGroups=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
67 # SystemCallFilter= |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
68 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 # This should break LuaJIT |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 # MemoryDenyWriteExecute=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 |