feat: systemd user service file for headless deployment
Hardened unit with ProtectSystem/ProtectHome, auto-restart on failure, and ExecReload for SIGHUP hot config reload. Docs updated with setup, management, and enable-linger instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
user
36
config/bouncer.service
Normal file
36
config/bouncer.service
Normal file
@@ -0,0 +1,36 @@
|
||||
[Unit]
|
||||
Description=IRC bouncer with stealth connect and multi-network multiplexing
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=user
|
||||
Group=user
|
||||
|
||||
ExecStart=%h/git/bouncer/.venv/bin/bouncer -c %h/git/bouncer/config/bouncer.toml
|
||||
ExecReload=kill -HUP $MAINPID
|
||||
|
||||
Restart=on-failure
|
||||
RestartSec=10
|
||||
|
||||
# Logging (stdout/stderr -> journal)
|
||||
StandardOutput=journal
|
||||
StandardError=journal
|
||||
SyslogIdentifier=bouncer
|
||||
|
||||
# Hardening
|
||||
NoNewPrivileges=yes
|
||||
ProtectSystem=strict
|
||||
ProtectHome=tmpfs
|
||||
BindPaths=%h/git/bouncer
|
||||
PrivateTmp=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectControlGroups=yes
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
Reference in New Issue
Block a user