45 lines
1.1 KiB
Desktop File
45 lines
1.1 KiB
Desktop File
[Unit]
|
|
Description=Server services monitoring
|
|
After=network-online.target graphical-session.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
EnvironmentFile=%h/.config/private-env/availability-monitor.env
|
|
ExecStart=/usr/local/bin/availability-monitor.py 3600
|
|
|
|
AmbientCapabilities=
|
|
CapabilityBoundingSet=
|
|
InaccessiblePaths=/home /root
|
|
KeyringMode=private
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
NoNewPrivileges=true
|
|
PrivateDevices=true
|
|
PrivateIPC=true
|
|
PrivateMounts=true
|
|
PrivateTmp=true
|
|
PrivateUsers=true
|
|
ProcSubset=pid
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
# can't override rw for %t/bus if "true" (completely inaccessible /run)
|
|
# rw necessary for notif
|
|
ProtectHome=read-only
|
|
ProtectHostname=true
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
ProtectProc=noaccess
|
|
ProtectSystem=strict
|
|
ReadWritePaths=%t/bus
|
|
# AF_UNIX for dbus (notifications), net for checking (duh)
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
UMask=0277
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|