Skip to content

Instantly share code, notes, and snippets.

@KuJoe
Created February 1, 2024 16:51
Show Gist options
  • Save KuJoe/29028c430c6d0db1292394342f3e55ec to your computer and use it in GitHub Desktop.
Save KuJoe/29028c430c6d0db1292394342f3e55ec to your computer and use it in GitHub Desktop.
PeerTube Remote Runner systemd service file
[Unit]
Description=PeerTube runner daemon
After=network.target
[Service]
Type=simple
Environment=NODE_ENV=production
User=prunner
Group=prunner
ExecStart=peertube-runner server
WorkingDirectory=/srv/prunner
SyslogIdentifier=prunner
Restart=always
; Some security directives.
; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
ProtectSystem=full
; Sets up a new /dev mount for the process and only adds API pseudo devices
; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
; by default because it may not work on devices like the Raspberry Pi.
PrivateDevices=false
; Ensures that the service process and all its children can never gain new
; privileges through execve().
NoNewPrivileges=true
; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
; by this unit. Make sure that you do not depend on data inside these folders.
ProtectHome=true
; Drops the sys admin capability from the daemon.
CapabilityBoundingSet=~CAP_SYS_ADMIN
[Install]
WantedBy=multi-user.target
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment