25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-28 16:34:13 +01:00
xmpp.chapril.org-ejabberd/ejabberd.service.template
Craig Andrews 2e28d06744 Harden the systemd unit
Restrict capabilities, have a private tmp directory, private /dev, and don't accessing file system locations that really shouldn't be accessed.
2016-06-28 17:02:41 -04:00

25 lines
542 B
Plaintext

[Unit]
Description=XMPP Server
After=network.target
[Service]
User=ejabberd
Group=ejabberd
LimitNOFILE=16000
RestartSec=5
ExecStart=@ctlscriptpath@/ejabberdctl start
ExecStop=@ctlscriptpath@/ejabberdctl stop
ExecReload=@ctlscriptpath@/ejabberdctl reload_config
Type=oneshot
RemainAfterExit=yes
# The CAP_DAC_OVERRIDE capability is required for pam authentication to work
CapabilityBoundingSet=CAP_DAC_OVERRIDE
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=full
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target