Skip to content

Instantly share code, notes, and snippets.

@HorlogeSkynet

HorlogeSkynet/isso.service

Last active November 5, 2023 09:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save HorlogeSkynet/8f008d89511c61d0947e3a7827981590 to your computer and use it in GitHub Desktop.
Save HorlogeSkynet/8f008d89511c61d0947e3a7827981590 to your computer and use it in GitHub Desktop.
Download ZIP
systemd unit file for Isso server installed under /opt
Raw
isso.service
[Unit]
Description=Lightweight Disqus alternative
After=network-online.target
Wants=network-online.target
[Service]
User=isso
ExecStart=/opt/isso/venv/bin/isso -c isso.cfg run
Restart=on-failure
WorkingDirectory=/opt/isso
ReadWritePaths=/opt/isso
ReadOnlyPaths=/opt/isso/venv
# security options
NoNewPrivileges=yes
PrivateIPC=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
ProtectHome=read-only
ProtectHostname=yes
ProtectClock=yes
ProtectProc=noaccess
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
RestrictAddressFamilies=AF_INET
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
# Misaka dependency uses CFFI
#MemoryDenyWriteExecute=yes
LockPersonality=yes
[Install]
WantedBy=multi-user.target
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment