annotate misc/systemd/prosody.service @ 5502:fd4d89a5b8db

mod_http_oauth2: Add provisions for dynamically adding simple scopes This lets additional modules define what scopes they might add to the userinfo endpoint, or other things.
author Kim Alvefur <zash@zash.se>
date Thu, 01 Jun 2023 18:16:13 +0200
parents f8ecb4b248b0
children bf5370a40a15
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2351
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 [Unit]
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 ### see man systemd.unit
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 Description=Prosody XMPP Server
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 Documentation=https://prosody.im/doc
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 [Service]
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 ### See man systemd.service ###
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 # With this configuration, systemd takes care of daemonization
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 # so Prosody should be configured with daemonize = false
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 Type=simple
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 # Not sure if this is needed for 'simple'
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 PIDFile=/var/run/prosody/prosody.pid
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 # Start by executing the main executable
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 ExecStart=/usr/bin/prosody
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 ExecReload=/bin/kill -HUP $MAINPID
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 # Restart on crashes
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 Restart=on-abnormal
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 # Set O_NONBLOCK flag on sockets passed via socket activation
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 NonBlocking=true
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 ### See man systemd.exec ###
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 WorkingDirectory=/var/lib/prosody
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 User=prosody
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 Group=prosody
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 Umask=0027
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 # Nice=0
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 # Set stdin to /dev/null since Prosody does not need it
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 StandardInput=null
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 # Direct stdout/-err to journald for use with log = "*stdout"
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 StandardOutput=journal
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 StandardError=inherit
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44 # This usually defaults to 4k or so
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 # LimitNOFILE=1M
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 ## Interesting protection methods
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
48 # Finding a useful combo of these settings would be nice
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 #
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50 # Needs read access to /etc/prosody for config
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51 # Needs write access to /var/lib/prosody for storing data (for internal storage)
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52 # Needs write access to /var/log/prosody for writing logs (depending on config)
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 # Needs read access to code and libraries loaded
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55 # ReadWriteDirectories=/var/lib/prosody /var/log/prosody
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
56 # InaccessibleDirectories=/boot /home /media /mnt /root /srv
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
57 # ReadOnlyDirectories=/usr /etc/prosody
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
58
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
59 # PrivateTmp=true
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60 # PrivateDevices=true
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61 # PrivateNetwork=false
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
62
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
63 # ProtectSystem=full
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
64 # ProtectHome=true
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
65 # ProtectKernelTunables=true
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
66 # ProtectControlGroups=true
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
67 # SystemCallFilter=
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
68
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
69 # This should break LuaJIT
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
70 # MemoryDenyWriteExecute=true
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
71
f8ecb4b248b0 misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff changeset
72