summaryrefslogtreecommitdiff
path: root/app-admin/vaultwarden/files/vaultwarden.service
diff options
context:
space:
mode:
Diffstat (limited to 'app-admin/vaultwarden/files/vaultwarden.service')
-rw-r--r--app-admin/vaultwarden/files/vaultwarden.service50
1 files changed, 50 insertions, 0 deletions
diff --git a/app-admin/vaultwarden/files/vaultwarden.service b/app-admin/vaultwarden/files/vaultwarden.service
new file mode 100644
index 0000000..4b6cbfc
--- /dev/null
+++ b/app-admin/vaultwarden/files/vaultwarden.service
@@ -0,0 +1,50 @@
+[Unit]
+Description=Unofficial Bitwarden compatible server written in Rust
+Documentation=https://github.com/dani-garcia/vaultwarden
+After=network.target mariadb.service mysqld.service postgresql.service
+
+[Service]
+ExecStart=/usr/bin/vaultwarden
+WorkingDirectory=/var/lib/vaultwarden
+User=vaultwarden
+Group=vaultwarden
+
+# Allow vaultwarden to bind ports in the range of 0-1024
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+NoNewPrivileges=yes
+
+LimitNOFILE=1048576
+UMask=0077
+LimitNPROC=64
+
+ProtectSystem=strict
+ProtectHome=true
+ReadWriteDirectories=/var/lib/vaultwarden
+PrivateUsers=yes
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
+
+Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs"
+EnvironmentFile=/etc/vaultwarden.env
+
+[Install]
+WantedBy=multi-user.target