Mercurial > prosody-modules
annotate misc/systemd/prosody.service @ 5646:d67980d9e12d
mod_http_oauth2: Apply refresh token ttl to refresh token instead of grant
The intent in 59d5fc50f602 was for refresh tokens to extend the lifetime
of the grant, but the refresh token ttl was applied to the grant and
mod_tokenauth does not change it, leading to the grant expiring
regardless of refresh token usage.
This makes grant lifetimes unlimited, which seems to be standard
practice in the wild.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 11 Sep 2023 10:48:31 +0200 |
| parents | f8ecb4b248b0 |
| children | bf5370a40a15 |
| rev | line source |
|---|---|
|
2351
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 [Unit] |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 ### see man systemd.unit |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 Description=Prosody XMPP Server |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 Documentation=https://prosody.im/doc |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 [Service] |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 ### See man systemd.service ### |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 # With this configuration, systemd takes care of daemonization |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 # so Prosody should be configured with daemonize = false |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 Type=simple |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 # Not sure if this is needed for 'simple' |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 PIDFile=/var/run/prosody/prosody.pid |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 # Start by executing the main executable |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 ExecStart=/usr/bin/prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 ExecReload=/bin/kill -HUP $MAINPID |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 # Restart on crashes |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 Restart=on-abnormal |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 # Set O_NONBLOCK flag on sockets passed via socket activation |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 NonBlocking=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 ### See man systemd.exec ### |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 WorkingDirectory=/var/lib/prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 User=prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 Group=prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 Umask=0027 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 # Nice=0 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 # Set stdin to /dev/null since Prosody does not need it |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 StandardInput=null |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 # Direct stdout/-err to journald for use with log = "*stdout" |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 StandardOutput=journal |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 StandardError=inherit |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 # This usually defaults to 4k or so |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 # LimitNOFILE=1M |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 ## Interesting protection methods |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 # Finding a useful combo of these settings would be nice |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 # |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 # Needs read access to /etc/prosody for config |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 # Needs write access to /var/lib/prosody for storing data (for internal storage) |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 # Needs write access to /var/log/prosody for writing logs (depending on config) |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 # Needs read access to code and libraries loaded |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 # ReadWriteDirectories=/var/lib/prosody /var/log/prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 # InaccessibleDirectories=/boot /home /media /mnt /root /srv |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 # ReadOnlyDirectories=/usr /etc/prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 # PrivateTmp=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 # PrivateDevices=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 # PrivateNetwork=false |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 # ProtectSystem=full |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 # ProtectHome=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 # ProtectKernelTunables=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 # ProtectControlGroups=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
67 # SystemCallFilter= |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
68 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 # This should break LuaJIT |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 # MemoryDenyWriteExecute=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 |