aboutsummaryrefslogblamecommitdiff
path: root/systemd/mpd-scrobbler.service
blob: 7990208ba62b6f165cae920617a9a1241904fe93 (plain) (tree) 
2c1a4d0











































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43











































                                                                                   
[Unit]
Description=mpd scrobbler
Documentation=https://git.fcuny.net/fcuny/mpd-stats
ConditionFileIsExecutable=%h/workspace/go/bin/mpd-scrobbler

[Service]
ExecStart=%h/workspace/go/bin/mpd-scrobbler
Restart=on-failure

PrivateTmp=yes
ProtectSystem=strict
NoNewPrivileges=yes
ProtectHome=yes

# Prohibit access to any kind of namespacing:
RestrictNamespaces=yes

# Make cgroup file system hierarchy inaccessible:
ProtectControlGroups=yes

# Deny access to other user’s information in /proc:
ProtectProc=invisible

# Only allow access to /proc pid files, no other files:
ProcSubset=pid

# This daemon must not create any new files, but set the umask to 077 just in case.
UMask=077

# Filter dangerous system calls. The following is listed as safe basic choice
# in systemd.exec(5):
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallErrorNumber=EPERM

# Deny kernel execution domain changing:
LockPersonality=yes

# Deny memory mappings that are writable and executable:
MemoryDenyWriteExecute=yes
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 11:13:21 +0000