configurations/ipfs/lib/systemd/system/ipfs.service

56 lines
1.2 KiB
SYSTEMD
Raw Normal View History

[Unit]
Description=IPFS Daemon
2022-04-24 10:21:28 +02:00
Documentation=https://docs.ipfs.io/
After=network.target
[Service]
2022-04-24 10:21:28 +02:00
# hardening
ReadWritePaths=/home/ipfs /mnt/ipfs
NoNewPrivileges=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
PrivateDevices=true
DevicePolicy=closed
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
ProtectHostname=true
PrivateTmp=true
ProtectClock=true
LockPersonality=true
RestrictNamespaces=true
RestrictRealtime=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
#ProtectHome=true
RemoveIPC=true
RestrictSUIDSGID=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
2022-04-24 10:21:28 +02:00
LimitNOFILE=8192
#LimitNice=10
MemoryAccounting=true
2022-04-24 10:21:28 +02:00
MemoryHigh=768M
MemoryMax=1024M
MemorySwapMax=0
CPUAccounting=true
CPUQuota=40%
2022-04-24 10:21:28 +02:00
TimeoutStartSec=infinity
Type=notify
Environment="IPFS_PATH=/mnt/ipfs"
Environment=IPFS_LOGGING="error"
Environment=IPFS_FD_MAX=8192
ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate
User=ipfs
Group=ipfs
StateDirectory=ipfs
Restart=on-failure
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target