From 1b1082910ed25a245396bd8f3c111f347bb24c06 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Tue, 26 Jun 2018 01:02:48 -0600 Subject: [PATCH] remove systemd options which are not valid for user, remove pre-templated files --- .../LaunchDaemons/cloud.telebit.remote.plist | 61 ----------------- .../skel/.config/systemd/user/telebit.service | 61 ----------------- .../.config/systemd/user/telebit.service.tpl | 8 +-- .../dist/etc/systemd/system/telebit.service | 65 ------------------- 4 files changed, 4 insertions(+), 191 deletions(-) delete mode 100644 usr/share/dist/Library/LaunchDaemons/cloud.telebit.remote.plist delete mode 100644 usr/share/dist/etc/skel/.config/systemd/user/telebit.service delete mode 100644 usr/share/dist/etc/systemd/system/telebit.service diff --git a/usr/share/dist/Library/LaunchDaemons/cloud.telebit.remote.plist b/usr/share/dist/Library/LaunchDaemons/cloud.telebit.remote.plist deleted file mode 100644 index efec4a4..0000000 --- a/usr/share/dist/Library/LaunchDaemons/cloud.telebit.remote.plist +++ /dev/null @@ -1,61 +0,0 @@ - - - - - Label - Telebit Remote - ProgramArguments - - /opt/telebit/bin/node - /opt/telebit/bin/telebitd.js - daemon - --config - /opt/telebit/etc/telebitd.yml - - EnvironmentVariables - - TELEBIT_PATH - /opt/telebit - NODE_PATH - /opt/telebit/lib/node_modules - NPM_CONFIG_PREFIX - /opt/telebit - - - UserName - root - GroupName - wheel - InitGroups - - - RunAtLoad - - KeepAlive - - - - SoftResourceLimits - - NumberOfFiles - 8192 - - HardResourceLimits - - - WorkingDirectory - /opt/telebit - - StandardErrorPath - /opt/telebit/var/log/error.log - StandardOutPath - /opt/telebit/var/log/info.log - - diff --git a/usr/share/dist/etc/skel/.config/systemd/user/telebit.service b/usr/share/dist/etc/skel/.config/systemd/user/telebit.service deleted file mode 100644 index 735d353..0000000 --- a/usr/share/dist/etc/skel/.config/systemd/user/telebit.service +++ /dev/null @@ -1,61 +0,0 @@ -# Pre-req -# sudo adduser telebit --home /opt/telebit -# sudo mkdir -p /opt/telebit/ -# sudo chown -R telebit:telebit /opt/telebit/ - -[Unit] -Description=Telebit Remote -Documentation=https://git.coolaj86.com/coolaj86/telebit.js/ - -[Service] -# Restart on crash (bad signal), but not on 'clean' failure (error exit code) -# Allow up to 3 restarts within 10 seconds -# (it's unlikely that a user or properly-running script will do this) -Restart=always -StartLimitInterval=10 -StartLimitBurst=3 - -# https://wiki.archlinux.org/index.php/Systemd/User -# ~/.local/share/systemd/user/ -WorkingDirectory=%h/.config/telebit -# custom directory cannot be set and will be the place where gitea exists, not the working directory -ExecStart=/opt/telebit/bin/node /opt/telebit/bin/telebit.js --config /etc/telebit/telebit.yml -ExecReload=/bin/kill -USR1 $MAINPID - -# Limit the number of file descriptors and processes; see `man systemd.exec` for more limit settings. -# Unmodified gitea is not expected to use more than this. -LimitNOFILE=1048576 -LimitNPROC=64 - -# Use private /tmp and /var/tmp, which are discarded after gitea stops. -PrivateTmp=true -# Use a minimal /dev -PrivateDevices=true -# Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. -ProtectHome=true -# Make /usr, /boot, /etc and possibly some more folders read-only. -ProtectSystem=full -# ... except /opt/gitea because we want a place for the database -# and /var/log/gitea because we want a place where logs can go. -# This merely retains r/w access rights, it does not add any new. -# Must still be writable on the host! -ReadWriteDirectories=/opt/telebit /etc/telebit - -# Note: in v231 and above ReadWritePaths has been renamed to ReadWriteDirectories -; ReadWritePaths=/opt/telebit /etc/telebit - -# The following additional security directives only work with systemd v229 or later. -# They further retrict privileges that can be gained by gitea. -# Note that you may have to add capabilities required by any plugins in use. -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -AmbientCapabilities=CAP_NET_BIND_SERVICE -NoNewPrivileges=true - -# Caveat: Some features may need additional capabilities. -# For example an "upload" may need CAP_LEASE -; CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_LEASE -; AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_LEASE -; NoNewPrivileges=true - -[Install] -WantedBy=multi-user.target diff --git a/usr/share/dist/etc/skel/.config/systemd/user/telebit.service.tpl b/usr/share/dist/etc/skel/.config/systemd/user/telebit.service.tpl index 7249d79..93ca864 100644 --- a/usr/share/dist/etc/skel/.config/systemd/user/telebit.service.tpl +++ b/usr/share/dist/etc/skel/.config/systemd/user/telebit.service.tpl @@ -18,8 +18,8 @@ StartLimitInterval=10 StartLimitBurst=3 # User and group the process will run as -#User={TELEBIT_USER} -#Group={TELEBIT_GROUP} +;User={TELEBIT_USER} +;Group={TELEBIT_GROUP} WorkingDirectory={TELEBIT_PATH} # custom directory cannot be set and will be the place where this exists, not the working directory @@ -34,7 +34,7 @@ LimitNPROC=64 # Use private /tmp and /var/tmp, which are discarded after this stops. PrivateTmp=true # Use a minimal /dev -PrivateDevices=true +;PrivateDevices=true # Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. ProtectHome=true # Make /usr, /boot, /etc and possibly some more folders read-only. @@ -52,7 +52,7 @@ ReadWriteDirectories={TELEBIT_RW_DIRS} # Note that you may have to add capabilities required by any plugins in use. ;CapabilityBoundingSet=CAP_NET_BIND_SERVICE ;AmbientCapabilities=CAP_NET_BIND_SERVICE -;NoNewPrivileges=true +NoNewPrivileges=true # Caveat: Some features may need additional capabilities. # For example an "upload" may need CAP_LEASE diff --git a/usr/share/dist/etc/systemd/system/telebit.service b/usr/share/dist/etc/systemd/system/telebit.service deleted file mode 100644 index ef082ef..0000000 --- a/usr/share/dist/etc/systemd/system/telebit.service +++ /dev/null @@ -1,65 +0,0 @@ -# Pre-req -# sudo adduser telebit --home /opt/telebit -# sudo mkdir -p /opt/telebit/ -# sudo chown -R telebit:telebit /opt/telebit/ - -[Unit] -Description=Telebit Remote -Documentation=https://git.coolaj86.com/coolaj86/telebit.js/ -After=network-online.target -Wants=network-online.target systemd-networkd-wait-online.service - -[Service] -# Restart on crash (bad signal), but not on 'clean' failure (error exit code) -# Allow up to 3 restarts within 10 seconds -# (it's unlikely that a user or properly-running script will do this) -Restart=always -StartLimitInterval=10 -StartLimitBurst=3 - -# User and group the process will run as -# (git is the de facto standard on most systems) -User=telebit -Group=telebit - -WorkingDirectory=/opt/telebit -# custom directory cannot be set and will be the place where this exists, not the working directory -ExecStart=/opt/telebit/bin/node /opt/telebit/bin/telebitd.js daemon --config /opt/telebit/etc/telebitd.yml -ExecReload=/bin/kill -USR1 $MAINPID - -# Limit the number of file descriptors and processes; see `man systemd.exec` for more limit settings. -# Unmodified, this is not expected to use more than this. -LimitNOFILE=1048576 -LimitNPROC=64 - -# Use private /tmp and /var/tmp, which are discarded after this stops. -PrivateTmp=true -# Use a minimal /dev -PrivateDevices=true -# Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. -ProtectHome=true -# Make /usr, /boot, /etc and possibly some more folders read-only. -ProtectSystem=full -# ... except /opt/telebit because we want a place for config, logs, etc -# This merely retains r/w access rights, it does not add any new. -# Must still be writable on the host! -ReadWriteDirectories=/opt/telebit - -# Note: in v231 and above ReadWritePaths has been renamed to ReadWriteDirectories -; ReadWritePaths=/opt/telebit - -# The following additional security directives only work with systemd v229 or later. -# They further retrict privileges that can be gained. -# Note that you may have to add capabilities required by any plugins in use. -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -AmbientCapabilities=CAP_NET_BIND_SERVICE -NoNewPrivileges=true - -# Caveat: Some features may need additional capabilities. -# For example an "upload" may need CAP_LEASE -; CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_LEASE -; AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_LEASE -; NoNewPrivileges=true - -[Install] -WantedBy=multi-user.target