41 lines
1.1 KiB
SYSTEMD
41 lines
1.1 KiB
SYSTEMD
|
[Unit]
|
||
|
|
Description=collabore tunnel Make your local services accessible to all on the public Internet
|
||
|
|
After=network.target nginx.service
|
||
|
|
|
||
|
|
[Service]
|
||
|
|
Environment=UNIX_SOCKETS_DIRECTORY=/tmp/collabore-tunnel
|
||
|
|
Environment=SERVER_HOSTNAME=tnl.clb.re
|
||
|
|
Environment=CONFIG_DIRECTORY=.
|
||
|
|
Environment=SSH_SERVER_HOST=0.0.0.0
|
||
|
|
Environment=SSH_SERVER_PORT=22
|
||
|
|
Environment=LOG_DEPTH=2
|
||
|
|
WorkingDirectory=/opt/collabore-tunnel
|
||
|
|
ExecStart=/usr/bin/python3 main.py
|
||
|
|
ExecStop=/bin/kill -9 $MAINPID
|
||
|
|
ProtectSystem=strict
|
||
|
|
ReadWritePaths=/opt/collabore-tunnel /tmp
|
||
|
|
ReadOnlyPaths=/usr/bin
|
||
|
|
InaccessiblePaths=...
|
||
|
|
ProtectHome=true
|
||
|
|
ProtectProc=invisible
|
||
|
|
ProtectKernelTunables=true
|
||
|
|
ProtectControlGroups=true
|
||
|
|
NoNewPrivileges=true
|
||
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||
|
|
RestrictNamespaces=uts ipc pid cgroup
|
||
|
|
RestrictSUIDSGID=true
|
||
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||
|
|
RestrictRealtime=yes
|
||
|
|
MemoryDenyWriteExecute=yes
|
||
|
|
LockPersonality=yes
|
||
|
|
IPAddressAllow=192.168.1.0/24
|
||
|
|
PrivateDevices=true
|
||
|
|
ProtectKernelModules=true
|
||
|
|
ProtectKernelLogs=true
|
||
|
|
ProtectClock=true
|
||
|
|
SystemCallArchitectures=native
|
||
|
|
SystemCallFilter=
|
||
|
|
|
||
|
|
[Install]
|
||
|
|
WantedBy=multi-user.target
|