55 lines
1.2 KiB
SYSTEMD
55 lines
1.2 KiB
SYSTEMD
|
[Unit]
|
||
|
|
Description=Vaultwarden Server
|
||
|
|
Documentation=https://github.com/dani-garcia/vaultwarden
|
||
|
|
After=network.target
|
||
|
|
|
||
|
|
[Service]
|
||
|
|
ExecStart=/usr/bin/vaultwarden
|
||
|
|
WorkingDirectory=/var/lib/vaultwarden
|
||
|
|
User=vaultwarden
|
||
|
|
Group=vaultwarden
|
||
|
|
|
||
|
|
# Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to
|
||
|
|
# that capability
|
||
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||
|
|
|
||
|
|
# If vaultwarden is run at ports >1024, you should apply these options via a
|
||
|
|
# drop-in file
|
||
|
|
#CapabilityBoundingSet=
|
||
|
|
#AmbientCapabilities=
|
||
|
|
#PrivateUsers=yes
|
||
|
|
|
||
|
|
NoNewPrivileges=yes
|
||
|
|
|
||
|
|
LimitNOFILE=1048576
|
||
|
|
UMask=0077
|
||
|
|
|
||
|
|
ProtectSystem=strict
|
||
|
|
ProtectHome=yes
|
||
|
|
ReadWritePaths=/var/lib/vaultwarden /var/log/vaultwarden.log
|
||
|
|
PrivateTmp=yes
|
||
|
|
PrivateDevices=yes
|
||
|
|
ProtectHostname=yes
|
||
|
|
ProtectClock=yes
|
||
|
|
ProtectKernelTunables=yes
|
||
|
|
ProtectKernelModules=yes
|
||
|
|
ProtectKernelLogs=yes
|
||
|
|
ProtectControlGroups=yes
|
||
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||
|
|
RestrictNamespaces=yes
|
||
|
|
LockPersonality=yes
|
||
|
|
MemoryDenyWriteExecute=yes
|
||
|
|
RestrictRealtime=yes
|
||
|
|
RestrictSUIDSGID=yes
|
||
|
|
RemoveIPC=yes
|
||
|
|
|
||
|
|
SystemCallFilter=@system-service
|
||
|
|
SystemCallFilter=~@privileged @resources
|
||
|
|
SystemCallArchitectures=native
|
||
|
|
|
||
|
|
EnvironmentFile=/etc/vaultwarden.env
|
||
|
|
|
||
|
|
[Install]
|
||
|
|
WantedBy=multi-user.target
|