8632c83881
Use simple invocation type instead of forking daemon Add alternative unit file for /usr/local installs Add /opt/ systemd unit variant Fix comments Add 3GB memory limit to systemd unit Restore newlines at end of systemd unit files Remove "via official sources" comment from the opt systemd unit file Use term "variant" instead of "variation" since the former is more specific and correct for this context Correct dogecoin package directory from "dogecoind" to "dogecoin" Use tarball bin path Co-authored-by: Patrick Lodder <patricklodder@users.noreply.github.com>
74 lines
1.6 KiB
Desktop File
74 lines
1.6 KiB
Desktop File
# This variant of the unit file is for package installations.
|
|
#
|
|
# The relevant paths are:
|
|
#
|
|
#/usr/bin/dogecoind
|
|
#/etc/dogecoin/
|
|
#/var/lib/dogecoin/
|
|
|
|
[Unit]
|
|
Description=Dogecoin's distributed currency daemon
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart=/usr/bin/dogecoind -conf=/etc/dogecoin/dogecoin.conf -datadir=/var/lib/dogecoin
|
|
|
|
KillSignal=SIGINT
|
|
Restart=always
|
|
RestartSec=5
|
|
TimeoutStopSec=60
|
|
TimeoutStartSec=5
|
|
StartLimitIntervalSec=120
|
|
StartLimitBurst=5
|
|
|
|
User=dogecoin
|
|
Group=dogecoin
|
|
|
|
### Restrict resource consumption
|
|
MemoryAccounting=yes
|
|
MemoryLimit=3g
|
|
|
|
### Restrict access to host file system.
|
|
#
|
|
# Hide the entire root file system by default, and *only* mount in exactly what is needed.
|
|
#
|
|
|
|
TemporaryFileSystem=/:ro
|
|
|
|
# Add core dependencies
|
|
BindReadOnlyPaths=/etc/ /lib/ /lib64/
|
|
|
|
# Add daemon paths
|
|
BindReadOnlyPaths=/usr/bin/dogecoind /etc/dogecoin/
|
|
BindPaths=/var/lib/dogecoin
|
|
|
|
### Restrict access to system.
|
|
|
|
NoNewPrivileges=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
PrivateUsers=true
|
|
DevicePolicy=closed
|
|
ProtectHome=true
|
|
ProtectHostname=true
|
|
ProtectControlGroups=true
|
|
ProtectClock=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelLogs=true
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
MemoryDenyWriteExecute=true
|
|
LockPersonality=true
|
|
|
|
# ProtectSystem=strict would normally be used, however it nullifies TemporaryFileSystem,
|
|
# since it remounts root as read only over the top.
|
|
# In this case, do not enable ProtectSystem.
|
|
#ProtectSystem=strict
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|