mirror of
https://github.com/JustArchiNET/ArchiSteamFarm
synced 2024-11-10 15:14:41 +00:00
systemd updates
This commit is contained in:
Archi
parent
13996748e5
commit
79fb4da9a6
3 changed files with 87 additions and 3 deletions
42
ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm@.service
Normal file
42
ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm@.service
Normal file
|
|
@ -0,0 +1,42 @@
|
|||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=-/etc/asf/%i
|
||||
ExecStart=mono /home/%i/ArchiSteamFarm/ArchiSteamFarm.exe --no-restart --process-required --service --system-required
|
||||
Restart=on-success
|
||||
RestartSec=5s
|
||||
SyslogIdentifier=asf-%i
|
||||
User=%i
|
||||
|
||||
# ASF security hardening
|
||||
LockPersonality=yes
|
||||
PrivateDevices=yes
|
||||
PrivateMounts=yes
|
||||
PrivateUsers=yes
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=read-only
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectSystem=full
|
||||
ReadWritePaths=/home/%i/ArchiSteamFarm /tmp/ASF
|
||||
RemoveIPC=yes
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
|
||||
# Not tested
|
||||
#PrivateIPC=yes
|
||||
|
||||
# This list is incomplete, will likely crash your ASF, not to mention only a total madman would enable that
|
||||
#SystemCallFilter=accept4 access arch_prctl bind chdir chmod clone close connect epoll_create1 epoll_ctl epoll_wait fadvise64 fcntl flock fstat fsync ftruncate getcwd getdents64 getpeername getrusage getsockname getsockopt inotify_add_watch inotify_init ioctl listen lseek lstat madvise mkdir mknod mprotect openat pipe pipe2 poll pread64 read readlink recvfrom recvmsg rename rmdir rt_sigaction rt_sigprocmask sched_get_priority_max sched_get_priority_min sched_getparam sched_getscheduler sched_setaffinity sched_setscheduler sendmmsg sendmsg sendto setsockopt shutdown sigaltstack socket stat statfs sysinfo uname unlink utimensat write
|
||||
|
||||
[Unit]
|
||||
After=network.target network-online.target
|
||||
Description=ArchiSteamFarm Service (on %I)
|
||||
Documentation=https://github.com/JustArchiNET/ArchiSteamFarm/wiki
|
||||
Wants=network.target network-online.target
|
||||
42
ArchiSteamFarm/overlay/generic/ArchiSteamFarm@.service
Normal file
42
ArchiSteamFarm/overlay/generic/ArchiSteamFarm@.service
Normal file
|
|
@ -0,0 +1,42 @@
|
|||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=-/etc/asf/%i
|
||||
ExecStart=dotnet /home/%i/ArchiSteamFarm/ArchiSteamFarm.dll --no-restart --process-required --service --system-required
|
||||
Restart=on-success
|
||||
RestartSec=5s
|
||||
SyslogIdentifier=asf-%i
|
||||
User=%i
|
||||
|
||||
# ASF security hardening
|
||||
LockPersonality=yes
|
||||
PrivateDevices=yes
|
||||
PrivateMounts=yes
|
||||
PrivateUsers=yes
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=read-only
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectSystem=full
|
||||
ReadWritePaths=/home/%i/ArchiSteamFarm /tmp/ASF
|
||||
RemoveIPC=yes
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
|
||||
# Not tested
|
||||
#PrivateIPC=yes
|
||||
|
||||
# This list is incomplete, will likely crash your ASF, not to mention only a total madman would enable that
|
||||
#SystemCallFilter=accept4 access arch_prctl bind chdir chmod clone close connect epoll_create1 epoll_ctl epoll_wait fadvise64 fcntl flock fstat fsync ftruncate getcwd getdents64 getpeername getrusage getsockname getsockopt inotify_add_watch inotify_init ioctl listen lseek lstat madvise mkdir mknod mprotect openat pipe pipe2 poll pread64 read readlink recvfrom recvmsg rename rmdir rt_sigaction rt_sigprocmask sched_get_priority_max sched_get_priority_min sched_getparam sched_getscheduler sched_setaffinity sched_setscheduler sendmmsg sendmsg sendto setsockopt shutdown sigaltstack socket stat statfs sysinfo uname unlink utimensat write
|
||||
|
||||
[Unit]
|
||||
After=network.target network-online.target
|
||||
Description=ArchiSteamFarm Service (on %I)
|
||||
Documentation=https://github.com/JustArchiNET/ArchiSteamFarm/wiki
|
||||
Wants=network.target network-online.target
|
||||
|
|
@ -9,7 +9,7 @@ RestartSec=5s
|
|||
SyslogIdentifier=asf-%i
|
||||
User=%i
|
||||
|
||||
# ASF hardening
|
||||
# ASF security hardening
|
||||
LockPersonality=yes
|
||||
PrivateDevices=yes
|
||||
PrivateMounts=yes
|
||||
|
|
@ -22,7 +22,7 @@ ProtectKernelLogs=yes
|
|||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectSystem=full
|
||||
ReadWritePaths=/home/%i/ArchiSteamFarm
|
||||
ReadWritePaths=/home/%i/ArchiSteamFarm /tmp/ASF
|
||||
RemoveIPC=yes
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
|
|
@ -39,4 +39,4 @@ RestrictSUIDSGID=yes
|
|||
After=network.target network-online.target
|
||||
Description=ArchiSteamFarm Service (on %I)
|
||||
Documentation=https://github.com/JustArchiNET/ArchiSteamFarm/wiki
|
||||
Wants=network-online.target
|
||||
Wants=network.target network-online.target
|
||||
|
|
|
|||
Loading…
Reference in a new issue