75 lines
1.7 KiB
SYSTEMD
75 lines
1.7 KiB
SYSTEMD
|
# This variant of the unit file is for "opt" add-on installations that do not form part of the default installation.
|
||
|
# (i.e. out of band installations by the user, not installed by a system package manager like "apt")
|
||
|
#
|
||
|
# The relevant paths are:
|
||
|
#
|
||
|
#/opt/dogecoin/dogecoind
|
||
|
#/etc/opt/dogecoin/
|
||
|
#/var/opt/dogecoin/
|
||
|
|
||
|
[Unit]
|
||
|
Description=Dogecoin's distributed currency daemon
|
||
|
After=network.target
|
||
|
|
||
|
[Service]
|
||
|
Type=simple
|
||
|
ExecStart=/opt/dogecoin/bin/dogecoind -conf=/etc/opt/dogecoin/dogecoin.conf -datadir=/var/opt/dogecoin
|
||
|
|
||
|
KillSignal=SIGINT
|
||
|
Restart=always
|
||
|
RestartSec=5
|
||
|
TimeoutStopSec=60
|
||
|
TimeoutStartSec=5
|
||
|
StartLimitIntervalSec=120
|
||
|
StartLimitBurst=5
|
||
|
|
||
|
User=dogecoin
|
||
|
Group=dogecoin
|
||
|
|
||
|
### Restrict resource consumption
|
||
|
MemoryAccounting=yes
|
||
|
MemoryLimit=3g
|
||
|
|
||
|
### Restrict access to host file system.
|
||
|
#
|
||
|
# Hide the entire root file system by default, and *only* mount in exactly what is needed.
|
||
|
#
|
||
|
|
||
|
TemporaryFileSystem=/:ro
|
||
|
|
||
|
# Add core dependencies
|
||
|
BindReadOnlyPaths=/etc/ /lib/ /lib64/
|
||
|
|
||
|
# Add daemon paths
|
||
|
BindReadOnlyPaths=/opt/dogecoin/ /etc/opt/dogecoin/
|
||
|
BindPaths=/var/opt/dogecoin/
|
||
|
|
||
|
### Restrict access to system.
|
||
|
|
||
|
NoNewPrivileges=true
|
||
|
PrivateTmp=true
|
||
|
PrivateDevices=true
|
||
|
PrivateUsers=true
|
||
|
DevicePolicy=closed
|
||
|
ProtectHome=true
|
||
|
ProtectHostname=true
|
||
|
ProtectControlGroups=true
|
||
|
ProtectClock=true
|
||
|
ProtectKernelModules=true
|
||
|
ProtectKernelTunables=true
|
||
|
ProtectKernelLogs=true
|
||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||
|
RestrictNamespaces=true
|
||
|
RestrictRealtime=true
|
||
|
RestrictSUIDSGID=true
|
||
|
MemoryDenyWriteExecute=true
|
||
|
LockPersonality=true
|
||
|
|
||
|
# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
|
||
|
# since it remounts root as read only over the top.
|
||
|
# In this case, do not enable ProtectSystem.
|
||
|
#ProtectSystem=strict
|
||
|
|
||
|
[Install]
|
||
|
WantedBy=multi-user.target
|