[Unit] Description=Rest Server After=syslog.target After=network.target Requires=rest-server.socket After=rest-server.socket [Service] Type=simple # You may prefer to use a different user or group on your system. User=www-data Group=www-data ExecStart=/usr/local/bin/rest-server --path /path/to/backups Restart=always RestartSec=5 # The following options are available (in systemd v247) to restrict the # actions of the rest-server. # As a whole, the purpose of these are to provide an additional layer of # security by mitigating any unknown security vulnerabilities which may exist # in rest-server or in the libraries, tools and operating system components # which it relies upon. # IMPORTANT! # The following line must be customised to your individual requirements. ReadWritePaths=/path/to/backups # Files in the data repository are only user accessible by default. Default to # `UMask=077` for consistency. To make created files group-readable, set to # `UMask=007` and pass `--group-accessible-repos` to rest-server via `ExecStart`. UMask=077 # If your system doesn't support all of the features below (e.g. because of # the use of an older version of systemd), you may wish to comment-out # some of the lines below as appropriate. CapabilityBoundingSet= LockPersonality=true MemoryDenyWriteExecute=true NoNewPrivileges=yes # As the listen socket is created by systemd via the rest-server.socket unit, it is # no longer necessary for rest-server to have access to the host network namespace. PrivateNetwork=yes PrivateTmp=yes PrivateDevices=true PrivateUsers=true ProtectSystem=strict ProtectHome=yes ProtectClock=true ProtectControlGroups=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true ProtectProc=invisible ProtectHostname=true RemoveIPC=true RestrictNamespaces=true RestrictAddressFamilies=none RestrictSUIDSGID=true RestrictRealtime=true # if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host SystemCallArchitectures=native SystemCallFilter=@system-service # Additionally, you may wish to use some of the systemd options documented in # systemd.resource-control(5) to limit the CPU, memory, file-system I/O and # network I/O that the rest-server is permitted to consume according to the # individual requirements of your installation. #CPUQuota=25% #MemoryHigh=bytes #MemoryMax=bytes #MemorySwapMax=bytes #TasksMax=N #IOReadBandwidthMax=device bytes #IOWriteBandwidthMax=device bytes #IOReadIOPSMax=device IOPS, IOWriteIOPSMax=device IOPS #IPAccounting=true #IPAddressAllow= [Install] WantedBy=multi-user.target