[Unit] Description=IPFS Daemon Documentation=https://docs.ipfs.io/ After=network.target [Service] # hardening ReadWritePaths=/home/ipfs /mnt/ipfs NoNewPrivileges=true ProtectSystem=strict ProtectKernelTunables=true ProtectKernelModules=true ProtectKernelLogs=true PrivateDevices=true DevicePolicy=closed ProtectControlGroups=true RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK ProtectHostname=true PrivateTmp=true ProtectClock=true LockPersonality=true RestrictNamespaces=true RestrictRealtime=true MemoryDenyWriteExecute=true SystemCallArchitectures=native SystemCallFilter=@system-service SystemCallFilter=~@privileged #ProtectHome=true RemoveIPC=true RestrictSUIDSGID=true CapabilityBoundingSet=CAP_NET_BIND_SERVICE LimitNOFILE=8192 #LimitNice=10 MemoryAccounting=true MemoryHigh=768M MemoryMax=1024M MemorySwapMax=0 CPUAccounting=true CPUQuota=40% TimeoutStartSec=infinity Type=notify Environment="IPFS_PATH=/mnt/ipfs" Environment=IPFS_LOGGING="error" Environment=IPFS_FD_MAX=8192 ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate User=ipfs Group=ipfs StateDirectory=ipfs Restart=on-failure KillSignal=SIGINT [Install] WantedBy=multi-user.target