f4f3132b6b
Hardened unit with ProtectSystem/ProtectHome, auto-restart on failure, and ExecReload for SIGHUP hot config reload. Docs updated with setup, management, and enable-linger instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
37 lines
731 B
Desktop File
37 lines
731 B
Desktop File
[Unit]
|
|
Description=IRC bouncer with stealth connect and multi-network multiplexing
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=user
|
|
Group=user
|
|
|
|
ExecStart=%h/git/bouncer/.venv/bin/bouncer -c %h/git/bouncer/config/bouncer.toml
|
|
ExecReload=kill -HUP $MAINPID
|
|
|
|
Restart=on-failure
|
|
RestartSec=10
|
|
|
|
# Logging (stdout/stderr -> journal)
|
|
StandardOutput=journal
|
|
StandardError=journal
|
|
SyslogIdentifier=bouncer
|
|
|
|
# Hardening
|
|
NoNewPrivileges=yes
|
|
ProtectSystem=strict
|
|
ProtectHome=tmpfs
|
|
BindPaths=%h/git/bouncer
|
|
PrivateTmp=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
ProtectControlGroups=yes
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
MemoryDenyWriteExecute=yes
|
|
|
|
[Install]
|
|
WantedBy=default.target
|