Mercurial > prosody-modules
annotate misc/systemd/prosody.service @ 5265:f845c218e52c
mod_http_oauth2: Allow revoking a token without OAuth client credentials
If you have a valid token, and you're not supposed to have it, revoking
it seems the most responsible thing to do with it, so it should be
allowed, while if you are supposed to have it, you should also be
allowed to revoke it.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 21 Mar 2023 22:02:38 +0100 |
parents | f8ecb4b248b0 |
children | bf5370a40a15 |
rev | line source |
---|---|
2351
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 [Unit] |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 ### see man systemd.unit |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 Description=Prosody XMPP Server |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 Documentation=https://prosody.im/doc |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 [Service] |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 ### See man systemd.service ### |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 # With this configuration, systemd takes care of daemonization |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 # so Prosody should be configured with daemonize = false |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 Type=simple |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 # Not sure if this is needed for 'simple' |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 PIDFile=/var/run/prosody/prosody.pid |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 # Start by executing the main executable |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 ExecStart=/usr/bin/prosody |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 ExecReload=/bin/kill -HUP $MAINPID |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 # Restart on crashes |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 Restart=on-abnormal |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 # Set O_NONBLOCK flag on sockets passed via socket activation |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 NonBlocking=true |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 ### See man systemd.exec ### |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 WorkingDirectory=/var/lib/prosody |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 User=prosody |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 Group=prosody |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 Umask=0027 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 # Nice=0 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 # Set stdin to /dev/null since Prosody does not need it |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 StandardInput=null |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 # Direct stdout/-err to journald for use with log = "*stdout" |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 StandardOutput=journal |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 StandardError=inherit |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 # This usually defaults to 4k or so |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 # LimitNOFILE=1M |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 ## Interesting protection methods |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 # Finding a useful combo of these settings would be nice |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 # |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 # Needs read access to /etc/prosody for config |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 # Needs write access to /var/lib/prosody for storing data (for internal storage) |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 # Needs write access to /var/log/prosody for writing logs (depending on config) |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 # Needs read access to code and libraries loaded |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 # ReadWriteDirectories=/var/lib/prosody /var/log/prosody |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 # InaccessibleDirectories=/boot /home /media /mnt /root /srv |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 # ReadOnlyDirectories=/usr /etc/prosody |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 # PrivateTmp=true |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 # PrivateDevices=true |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 # PrivateNetwork=false |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 # ProtectSystem=full |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 # ProtectHome=true |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 # ProtectKernelTunables=true |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 # ProtectControlGroups=true |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
67 # SystemCallFilter= |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
68 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 # This should break LuaJIT |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 # MemoryDenyWriteExecute=true |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 |
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 |