|
- [Unit]
- Description=PeerTube daemon
- After=network.target postgresql.service redis-server.service
-
- [Service]
- Type=simple
- Environment=NODE_ENV=production
- Environment=NODE_CONFIG_DIR=/var/www/peertube/config
- User=peertube
- Group=peertube
- ExecStart=/usr/bin/node dist/server
- WorkingDirectory=/var/www/peertube/peertube-latest
- SyslogIdentifier=peertube
- Restart=always
-
- ; Some security directives.
- ; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
- ProtectSystem=full
- ; Sets up a new /dev mount for the process and only adds API pseudo devices
- ; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
- ; by default because it may not work on devices like the Raspberry Pi.
- PrivateDevices=false
- ; Ensures that the service process and all its children can never gain new
- ; privileges through execve().
- NoNewPrivileges=true
- ; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
- ; by this unit. Make sure that you do not depend on data inside these folders.
- ProtectHome=true
- ; Drops the sys admin capability from the daemon.
- CapabilityBoundingSet=~CAP_SYS_ADMIN
-
- [Install]
- WantedBy=multi-user.target
|
