Mercurial > prosody-modules

view misc/systemd/prosody.service @ 5425:3b30635d215c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Support granting zero role-scopes It seems Very Bad that if you uncheck all roles on the consent page, you get the default scopes, which seems the opposite of what you probably intended. Currently, mod_tokenauth will do the same thing, so work is needed there too to allow issuing tokens without roles. A token without a role could be used for OIDC login, and not much else. This seems like a valuable thing to support.
author Kim Alvefur <zash@zash.se>
date Sun, 07 May 2023 19:29:15 +0200
parents f8ecb4b248b0
children bf5370a40a15
line wrap: on
line source

[Unit]
### see man systemd.unit
Description=Prosody XMPP Server
Documentation=https://prosody.im/doc

[Service]
### See man systemd.service ###
# With this configuration, systemd takes care of daemonization
# so Prosody should be configured with daemonize = false
Type=simple

# Not sure if this is needed for 'simple'
PIDFile=/var/run/prosody/prosody.pid

# Start by executing the main executable
ExecStart=/usr/bin/prosody

ExecReload=/bin/kill -HUP $MAINPID

# Restart on crashes
Restart=on-abnormal

# Set O_NONBLOCK flag on sockets passed via socket activation
NonBlocking=true

### See man systemd.exec ###

WorkingDirectory=/var/lib/prosody

User=prosody
Group=prosody

Umask=0027

# Nice=0

# Set stdin to /dev/null since Prosody does not need it
StandardInput=null

# Direct stdout/-err to journald for use with log = "*stdout"
StandardOutput=journal
StandardError=inherit

# This usually defaults to 4k or so
# LimitNOFILE=1M

## Interesting protection methods
# Finding a useful combo of these settings would be nice
#
# Needs read access to /etc/prosody for config
# Needs write access to /var/lib/prosody for storing data (for internal storage)
# Needs write access to /var/log/prosody for writing logs (depending on config)
# Needs read access to code and libraries loaded

# ReadWriteDirectories=/var/lib/prosody /var/log/prosody
# InaccessibleDirectories=/boot /home /media /mnt /root /srv
# ReadOnlyDirectories=/usr /etc/prosody

# PrivateTmp=true
# PrivateDevices=true
# PrivateNetwork=false

# ProtectSystem=full
# ProtectHome=true
# ProtectKernelTunables=true
# ProtectControlGroups=true
# SystemCallFilter=

# This should break LuaJIT
# MemoryDenyWriteExecute=true