Created
February 1, 2024 16:51
-
-
Save KuJoe/29028c430c6d0db1292394342f3e55ec to your computer and use it in GitHub Desktop.
PeerTube Remote Runner systemd service file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Unit] | |
| Description=PeerTube runner daemon | |
| After=network.target | |
| [Service] | |
| Type=simple | |
| Environment=NODE_ENV=production | |
| User=prunner | |
| Group=prunner | |
| ExecStart=peertube-runner server | |
| WorkingDirectory=/srv/prunner | |
| SyslogIdentifier=prunner | |
| Restart=always | |
| ; Some security directives. | |
| ; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. | |
| ProtectSystem=full | |
| ; Sets up a new /dev mount for the process and only adds API pseudo devices | |
| ; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled | |
| ; by default because it may not work on devices like the Raspberry Pi. | |
| PrivateDevices=false | |
| ; Ensures that the service process and all its children can never gain new | |
| ; privileges through execve(). | |
| NoNewPrivileges=true | |
| ; This makes /home, /root, and /run/user inaccessible and empty for processes invoked | |
| ; by this unit. Make sure that you do not depend on data inside these folders. | |
| ProtectHome=true | |
| ; Drops the sys admin capability from the daemon. | |
| CapabilityBoundingSet=~CAP_SYS_ADMIN | |
| [Install] | |
| WantedBy=multi-user.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment