pkgbuilds/vaultwarden/systemd.service

55 lines
1.2 KiB
SYSTEMD
Raw Permalink Normal View History

2023-11-22 08:40:20 -06:00
[Unit]
Description=Vaultwarden Server
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target
[Service]
ExecStart=/usr/bin/vaultwarden
WorkingDirectory=/var/lib/vaultwarden
User=vaultwarden
Group=vaultwarden
# Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to
# that capability
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
# If vaultwarden is run at ports >1024, you should apply these options via a
# drop-in file
#CapabilityBoundingSet=
#AmbientCapabilities=
#PrivateUsers=yes
NoNewPrivileges=yes
LimitNOFILE=1048576
UMask=0077
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/lib/vaultwarden /var/log/vaultwarden.log
PrivateTmp=yes
PrivateDevices=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native
EnvironmentFile=/etc/vaultwarden.env
[Install]
WantedBy=multi-user.target