# HG changeset patch # User Kim Alvefur # Date 1478560146 -3600 # Node ID f8ecb4b248b08b862abc77b7d01546ffc439e719 # Parent 67990e045d4fb4e0cd18827dceade24a343666ab misc: An experimental systemd service file diff -r 67990e045d4f -r f8ecb4b248b0 misc/systemd/prosody.service --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/misc/systemd/prosody.service Tue Nov 08 00:09:06 2016 +0100 @@ -0,0 +1,72 @@ +[Unit] +### see man systemd.unit +Description=Prosody XMPP Server +Documentation=https://prosody.im/doc + +[Service] +### See man systemd.service ### +# With this configuration, systemd takes care of daemonization +# so Prosody should be configured with daemonize = false +Type=simple + +# Not sure if this is needed for 'simple' +PIDFile=/var/run/prosody/prosody.pid + +# Start by executing the main executable +ExecStart=/usr/bin/prosody + +ExecReload=/bin/kill -HUP $MAINPID + +# Restart on crashes +Restart=on-abnormal + +# Set O_NONBLOCK flag on sockets passed via socket activation +NonBlocking=true + +### See man systemd.exec ### + +WorkingDirectory=/var/lib/prosody + +User=prosody +Group=prosody + +Umask=0027 + +# Nice=0 + +# Set stdin to /dev/null since Prosody does not need it +StandardInput=null + +# Direct stdout/-err to journald for use with log = "*stdout" +StandardOutput=journal +StandardError=inherit + +# This usually defaults to 4k or so +# LimitNOFILE=1M + +## Interesting protection methods +# Finding a useful combo of these settings would be nice +# +# Needs read access to /etc/prosody for config +# Needs write access to /var/lib/prosody for storing data (for internal storage) +# Needs write access to /var/log/prosody for writing logs (depending on config) +# Needs read access to code and libraries loaded + +# ReadWriteDirectories=/var/lib/prosody /var/log/prosody +# InaccessibleDirectories=/boot /home /media /mnt /root /srv +# ReadOnlyDirectories=/usr /etc/prosody + +# PrivateTmp=true +# PrivateDevices=true +# PrivateNetwork=false + +# ProtectSystem=full +# ProtectHome=true +# ProtectKernelTunables=true +# ProtectControlGroups=true +# SystemCallFilter= + +# This should break LuaJIT +# MemoryDenyWriteExecute=true + +