diff options
Diffstat (limited to 'app-admin/vaultwarden/files/vaultwarden.service')
-rw-r--r-- | app-admin/vaultwarden/files/vaultwarden.service | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/app-admin/vaultwarden/files/vaultwarden.service b/app-admin/vaultwarden/files/vaultwarden.service new file mode 100644 index 0000000..4b6cbfc --- /dev/null +++ b/app-admin/vaultwarden/files/vaultwarden.service @@ -0,0 +1,50 @@ +[Unit] +Description=Unofficial Bitwarden compatible server written in Rust +Documentation=https://github.com/dani-garcia/vaultwarden +After=network.target mariadb.service mysqld.service postgresql.service + +[Service] +ExecStart=/usr/bin/vaultwarden +WorkingDirectory=/var/lib/vaultwarden +User=vaultwarden +Group=vaultwarden + +# Allow vaultwarden to bind ports in the range of 0-1024 +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE + +NoNewPrivileges=yes + +LimitNOFILE=1048576 +UMask=0077 +LimitNPROC=64 + +ProtectSystem=strict +ProtectHome=true +ReadWriteDirectories=/var/lib/vaultwarden +PrivateUsers=yes +PrivateTmp=true +PrivateDevices=true +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes + +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallArchitectures=native + +Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs" +EnvironmentFile=/etc/vaultwarden.env + +[Install] +WantedBy=multi-user.target |