|
| 1 | +# This file will be overwritten on package upgrades, avoid customizations here. |
| 2 | +# |
| 3 | +# To make persistant changes, create file in |
| 4 | +# "/etc/systemd/system/ipfs.service.d/overwrite.conf" with |
| 5 | +# `systemctl edit ipfs.service`. This file will be parsed after this |
| 6 | +# file has been parsed. |
| 7 | +# |
| 8 | +# To overwrite a variable, like ExecStart you have to specify it once |
| 9 | +# blank and a second time with a new value, like: |
| 10 | +# ExecStart= |
| 11 | +# ExecStart=/usr/bin/ipfs daemon --flag1 --flag2 |
| 12 | +# |
| 13 | +# For more info about custom unit files see systemd.unit(5). |
| 14 | + |
| 15 | +# This service file enables systemd-hardening features compatible with IPFS, |
| 16 | +# while breaking compability with the fuse-mount function. Use this one only |
| 17 | +# if you don't need the fuse-mount functionality. |
| 18 | + |
| 19 | +[Unit] |
| 20 | +Description=InterPlanetary File System (IPFS) daemon |
| 21 | +Documentation=https://docs.ipfs.io/ |
| 22 | +After=network.target |
| 23 | + |
| 24 | +[Service] |
| 25 | +# hardening |
| 26 | +ReadWritePaths="/var/lib/ipfs/" |
| 27 | +NoNewPrivileges=true |
| 28 | +ProtectSystem=strict |
| 29 | +ProtectKernelTunables=true |
| 30 | +ProtectKernelModules=true |
| 31 | +ProtectKernelLogs=true |
| 32 | +PrivateDevices=true |
| 33 | +DevicePolicy=closed |
| 34 | +ProtectControlGroups=true |
| 35 | +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK |
| 36 | +ProtectHostname=true |
| 37 | +PrivateTmp=true |
| 38 | +ProtectClock=true |
| 39 | +LockPersonality=true |
| 40 | +RestrictNamespaces=true |
| 41 | +RestrictRealtime=true |
| 42 | +MemoryDenyWriteExecute=true |
| 43 | +SystemCallArchitectures=native |
| 44 | +SystemCallFilter=@system-service |
| 45 | +SystemCallFilter=~@privileged |
| 46 | +ProtectHome=true |
| 47 | +RemoveIPC=true |
| 48 | +RestrictSUIDSGID=true |
| 49 | +CapabilityBoundingSet=CAP_NET_BIND_SERVICE |
| 50 | + |
| 51 | +# enable for 1-1024 port listening |
| 52 | +#AmbientCapabilities=CAP_NET_BIND_SERVICE |
| 53 | +# enable to specify a custom path see docs/environment-variables.md for further documentations |
| 54 | +#Environment=IPFS_PATH=/custom/ipfs/path |
| 55 | +# enable to specify a higher limit for open files/connections |
| 56 | +#LimitNOFILE=1000000 |
| 57 | + |
| 58 | +#don't use swap |
| 59 | +MemorySwapMax=0 |
| 60 | + |
| 61 | +Type=notify |
| 62 | +User=ipfs |
| 63 | +Group=ipfs |
| 64 | +StateDirectory=ipfs |
| 65 | +ExecStart=/usr/bin/ipfs daemon --init --migrate |
| 66 | +Restart=on-failure |
| 67 | +KillSignal=SIGINT |
| 68 | + |
| 69 | +[Install] |
| 70 | +WantedBy=default.target |
0 commit comments