alanorth/solr.service

## solr.service
[Unit]
Description=Solr 8.11.2
After=network.target

[Service]
Type=simple

WorkingDirectory=/var/solr
PIDFile=/var/solr/solr-8983.pid
Environment=SOLR_PID_DIR=/var/solr
Environment=SOLR_HOME=/var/solr/data
Environment=SOLR_LOGS_DIR=/var/solr/logs
Environment=SOLR_HEAP=2g

PrivateDevices=yes
PrivateTmp=yes
# Solr does not need access to /home, /root, or /run/user
ProtectHome=true
# Solr can live with read-only access to the entire file system hierarchy other
# than the paths below.
ProtectSystem=strict

# The service process and all its children can never gain new privileges
NoNewPrivileges=true

ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true

# Do not allow process or its children to create SUID/SGID files/directories
RestrictSUIDSGID=true

LockPersonality=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=~CAP_NET_BROADCAST CAP_NET_RAW
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
RemoveIPC=true
RestrictAddressFamilies=~AF_PACKET AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources

# Allow writing to these paths, but don't fail if they don't exist
ReadWritePaths=-/var/solr

User=solr
Group=solr

ExecStart=/opt/solr-8.11.2/bin/solr start -f
ExecStop=/opt/solr-8.11.2/bin/solr stop

# Recommended system limits
# See: https://solr.apache.org/guide/8_11/taking-solr-to-production.html
LimitNOFILE=65000
LimitNPROC=65000
LimitAS=infinity
LimitRSS=infinity

# the JVM exits gracefully with 143 when it receives a SIGTERM (128 + 15 == 143)
SuccessExitStatus=143

[Install]
WantedBy=multi-user.target
	[Unit]
	Description=Solr 8.11.2
	After=network.target

	[Service]
	Type=simple

	WorkingDirectory=/var/solr
	PIDFile=/var/solr/solr-8983.pid
	Environment=SOLR_PID_DIR=/var/solr
	Environment=SOLR_HOME=/var/solr/data
	Environment=SOLR_LOGS_DIR=/var/solr/logs
	Environment=SOLR_HEAP=2g

	PrivateDevices=yes
	PrivateTmp=yes
	# Solr does not need access to /home, /root, or /run/user
	ProtectHome=true
	# Solr can live with read-only access to the entire file system hierarchy other
	# than the paths below.
	ProtectSystem=strict

	# The service process and all its children can never gain new privileges
	NoNewPrivileges=true

	ProtectControlGroups=true
	ProtectKernelModules=true
	ProtectKernelTunables=true

	# Do not allow process or its children to create SUID/SGID files/directories
	RestrictSUIDSGID=true

	LockPersonality=true
	CapabilityBoundingSet=CAP_NET_BIND_SERVICE
	CapabilityBoundingSet=~CAP_NET_BROADCAST CAP_NET_RAW
	ProtectHostname=true
	ProtectKernelLogs=true
	ProtectKernelModules=true
	RemoveIPC=true
	RestrictAddressFamilies=~AF_PACKET AF_NETLINK AF_UNIX
	RestrictNamespaces=true
	RestrictRealtime=true
	SystemCallArchitectures=native
	SystemCallFilter=@system-service
	SystemCallFilter=~@privileged @resources

	# Allow writing to these paths, but don't fail if they don't exist
	ReadWritePaths=-/var/solr

	User=solr
	Group=solr

	ExecStart=/opt/solr-8.11.2/bin/solr start -f
	ExecStop=/opt/solr-8.11.2/bin/solr stop

	# Recommended system limits
	# See: https://solr.apache.org/guide/8_11/taking-solr-to-production.html
	LimitNOFILE=65000
	LimitNPROC=65000
	LimitAS=infinity
	LimitRSS=infinity

	# the JVM exits gracefully with 143 when it receives a SIGTERM (128 + 15 == 143)
	SuccessExitStatus=143

	[Install]
	WantedBy=multi-user.target