56 lines
1.2 KiB
Desktop File
56 lines
1.2 KiB
Desktop File
[Unit]
|
|
Description=MatrixRTC Authorization Service (lk-jwt-service)
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart=/usr/bin/lk-jwt-service
|
|
|
|
EnvironmentFile=-/etc/lk-jwt-service/lk-jwt-service.env
|
|
|
|
# Secrets via systemd credentials (preferred)
|
|
#LoadCredential=livekit_key:/etc/lk-jwt-service/livekit_key
|
|
#LoadCredential=livekit_secret:/etc/lk-jwt-service/livekit_secret
|
|
#Environment=LIVEKIT_KEY_FROM_FILE=%d/livekit_key
|
|
#Environment=LIVEKIT_SECRET_FROM_FILE=%d/livekit_secret
|
|
|
|
# --- Hardening ---
|
|
DynamicUser=yes
|
|
NoNewPrivileges=yes
|
|
|
|
PrivateTmp=yes
|
|
PrivateDevices=yes
|
|
ProtectSystem=strict
|
|
ProtectHome=yes
|
|
|
|
ProtectControlGroups=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectClock=yes
|
|
ProtectHostname=yes
|
|
|
|
ProtectProc=invisible
|
|
ProcSubset=pid
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
RestrictSUIDSGID=yes
|
|
RestrictRealtime=yes
|
|
RestrictNamespaces=yes
|
|
SystemCallArchitectures=native
|
|
|
|
CapabilityBoundingSet=
|
|
AmbientCapabilities=
|
|
KeyringMode=private
|
|
RemoveIPC=yes
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
|
|
# Reliability
|
|
Restart=on-failure
|
|
RestartSec=2s
|
|
TimeoutStartSec=30s
|
|
TimeoutStopSec=30s
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|