exabrial/systemd.template.unit

## systemd.template.unit
[Unit]
Description=xxx ${project.artifactId} ${project.version}
After=network.target

[Service]
Environment=SERVER_BASEPORT=${xxx.server.baseport} JAVA_HOME=/usr/lib/jvm/${runtime-jdk}
EnvironmentFile=/etc/default/${project.artifactId}
Type=simple
WorkingDirectory=/opt/${project.artifactId}
ExecStart=/usr/bin/authbind --depth 3 /usr/lib/jvm/${runtime-jdk}/bin/java -jar /opt/${project.artifactId}/${project.artifactId}-exec.jar
User=${project.artifactId}
Group=${project.artifactId}
RestartSec=10
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=${project.artifactId}
SuccessExitStatus=143

# Security Hardening

## chroot
RootDirectory=/opt/chroot/${project.artifactId}
BindPaths=/opt/${project.artifactId}
BindReadOnlyPaths=/bin /sbin /lib /lib64 /usr /etc/resolv.conf /etc/hosts /etc/timezone /etc/default/${project.artifactId}
MountAPIVFS=true
PrivateDevices=true
PrivateTmp=true

## disable access to features
LockPersonality=yes
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_UNIX AF_INET AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes

### socket binding access
SocketBindDeny=any
SocketBindAllow=ipv4:tcp:2${xxx.server.baseport}
SocketBindAllow=ipv4:tcp:3${xxx.server.baseport}
# Uncomment to allow binding to port 8000 for debugger
# SocketBindAllow=ipv4:tcp:8000

[Install]
WantedBy=multi-user.target
	[Unit]
	Description=xxx ${project.artifactId} ${project.version}
	After=network.target

	[Service]
	Environment=SERVER_BASEPORT=${xxx.server.baseport} JAVA_HOME=/usr/lib/jvm/${runtime-jdk}
	EnvironmentFile=/etc/default/${project.artifactId}
	Type=simple
	WorkingDirectory=/opt/${project.artifactId}
	ExecStart=/usr/bin/authbind --depth 3 /usr/lib/jvm/${runtime-jdk}/bin/java -jar /opt/${project.artifactId}/${project.artifactId}-exec.jar
	User=${project.artifactId}
	Group=${project.artifactId}
	RestartSec=10
	Restart=always
	StandardOutput=syslog
	StandardError=syslog
	SyslogIdentifier=${project.artifactId}
	SuccessExitStatus=143

	# Security Hardening

	## chroot
	RootDirectory=/opt/chroot/${project.artifactId}
	BindPaths=/opt/${project.artifactId}
	BindReadOnlyPaths=/bin /sbin /lib /lib64 /usr /etc/resolv.conf /etc/hosts /etc/timezone /etc/default/${project.artifactId}
	MountAPIVFS=true
	PrivateDevices=true
	PrivateTmp=true

	## disable access to features
	LockPersonality=yes
	ProtectClock=true
	ProtectControlGroups=true
	ProtectHome=true
	ProtectHostname=true
	ProtectKernelLogs=true
	ProtectKernelModules=true
	ProtectKernelTunables=true
	ProtectSystem=full
	RestrictAddressFamilies=AF_UNIX AF_INET AF_NETLINK
	RestrictNamespaces=yes
	RestrictRealtime=yes
	RestrictSUIDSGID=yes

	### socket binding access
	SocketBindDeny=any
	SocketBindAllow=ipv4:tcp:2${xxx.server.baseport}
	SocketBindAllow=ipv4:tcp:3${xxx.server.baseport}
	# Uncomment to allow binding to port 8000 for debugger
	# SocketBindAllow=ipv4:tcp:8000

	[Install]
	WantedBy=multi-user.target