freeseacher/confluence ne boley

## confluence ne boley
Non for production!!!! requires heavy testing
testted on 7.13.0 with
* login
* enter space
* edit page
* upload file
* logs are written ok
* index rebuild
* backup
* restore not tested
* several scheduled jobs
* plugin load/unload/update

## confluence.service
# /run/systemd/generator.late/confluence.service
# Automatically generated by systemd-sysv-generator

[Unit]
Documentation=man:systemd-sysv-generator(8)
SourcePath=/etc/init.d/confluence
Before=multi-user.target
Before=multi-user.target
Before=multi-user.target
Before=graphical.target
Before=exim4.service

[Service]
Type=forking
Restart=no
TimeoutSec=5min
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=yes
ExecStart=/etc/init.d/confluence start
ExecStop=/etc/init.d/confluence stop

## override.conf
# /etc/systemd/system/confluence.service.d/override.conf
[Unit]
After=postgresql.service

[Service]
User=confluence
PrivateDevices=true
DeviceAllow=/dev/stderr
DeviceAllow=/dev/stdin
DeviceAllow=/dev/stdout
DeviceAllow=/dev/random
DeviceAllow=/dev/urandom
DevicePolicy=strict
LockPersonality=true

PrivateMounts=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=noaccess
NoNewPrivileges=yes
ProtectSystem=strict
# confluence installed to /opt/confluence and confluence_home set to /mnt/confluence
ReadWriteDirectories=/mnt/confluence /opt/confluence/logs /opt/confluence/work /opt/confluence/temp
KillMode=control-group
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
RestrictNamespaces=true
ProtectHostname=true
UMask=0177
	Non for production!!!! requires heavy testing
	testted on 7.13.0 with
	* login
	* enter space
	* edit page
	* upload file
	* logs are written ok
	* index rebuild
	* backup
	* restore not tested
	* several scheduled jobs
	* plugin load/unload/update
	# /run/systemd/generator.late/confluence.service
	# Automatically generated by systemd-sysv-generator

	[Unit]
	Documentation=man:systemd-sysv-generator(8)
	SourcePath=/etc/init.d/confluence
	Before=multi-user.target
	Before=multi-user.target
	Before=multi-user.target
	Before=graphical.target
	Before=exim4.service

	[Service]
	Type=forking
	Restart=no
	TimeoutSec=5min
	IgnoreSIGPIPE=no
	KillMode=process
	GuessMainPID=no
	RemainAfterExit=yes
	ExecStart=/etc/init.d/confluence start
	ExecStop=/etc/init.d/confluence stop
	# /etc/systemd/system/confluence.service.d/override.conf
	[Unit]
	After=postgresql.service

	[Service]
	User=confluence
	PrivateDevices=true
	DeviceAllow=/dev/stderr
	DeviceAllow=/dev/stdin
	DeviceAllow=/dev/stdout
	DeviceAllow=/dev/random
	DeviceAllow=/dev/urandom
	DevicePolicy=strict
	LockPersonality=true

	PrivateMounts=true
	PrivateTmp=true
	ProtectClock=true
	ProtectControlGroups=yes
	ProtectHome=yes
	ProtectKernelLogs=yes
	ProtectKernelModules=yes
	ProtectKernelTunables=yes
	ProtectProc=noaccess
	NoNewPrivileges=yes
	ProtectSystem=strict
	# confluence installed to /opt/confluence and confluence_home set to /mnt/confluence
	ReadWriteDirectories=/mnt/confluence /opt/confluence/logs /opt/confluence/work /opt/confluence/temp
	KillMode=control-group
	CapabilityBoundingSet=CAP_NET_BIND_SERVICE
	SystemCallFilter=@system-service
	SystemCallFilter=~@privileged
	SystemCallFilter=~@resources
	RestrictNamespaces=true
	ProtectHostname=true
	UMask=0177