Update some vars and add murmur service
This commit is contained in:
parent
95fbf873af
commit
105f71efcd
|
@ -8,6 +8,7 @@ RestartSec=10
|
||||||
# TODO: Add mounts
|
# TODO: Add mounts
|
||||||
TemporaryFileSystem=/:ro
|
TemporaryFileSystem=/:ro
|
||||||
BindReadOnlyPaths=/etc/influxdb /usr /lib /lib64
|
BindReadOnlyPaths=/etc/influxdb /usr /lib /lib64
|
||||||
|
BindPaths={{ influxdb.storage }}
|
||||||
|
|
||||||
SecureBits=noroot
|
SecureBits=noroot
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
[Service]
|
||||||
|
ExecStart=
|
||||||
|
ExecStart=/usr/sbin/murmurd -fg -ini {{ global.murmur.configpath }}
|
||||||
|
ProtectSystem=strict
|
||||||
|
PrivateUsers=true
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
TemporaryFileSystem=/:ro
|
||||||
|
BindReadOnlyPaths={{ global.murmur.configpath }} /usr /lib /lib64
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
RestrictRealtime=yes
|
||||||
|
RestrictSUIDSGID=yes
|
||||||
|
MemoryDenyWriteExecute=yes
|
||||||
|
LockPersonality=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
|
@ -12,10 +12,10 @@ ProtectSystem=strict
|
||||||
PrivateUsers=true
|
PrivateUsers=true
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
|
|
||||||
ReadWritePaths={{ transmission.root_dir }}
|
ReadWritePaths={{ global.seedbox.transmission.root_dir }}
|
||||||
BindReadOnlyPaths=/usr /lib /lib64
|
BindReadOnlyPaths=/usr /lib /lib64
|
||||||
TemporaryFileSystem=/:ro
|
TemporaryFileSystem=/:ro
|
||||||
Environment=TRANSMISSION_HOME={{ transmission.root_dir }}/.config
|
Environment=TRANSMISSION_HOME={{ global.seedbox.transmission.root_dir }}/.config
|
||||||
|
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
|
|
Reference in New Issue