diff options
Diffstat (limited to 'app-admin/vaultwarden/files/vaultwarden.service')
-rw-r--r-- | app-admin/vaultwarden/files/vaultwarden.service | 41 |
1 files changed, 27 insertions, 14 deletions
diff --git a/app-admin/vaultwarden/files/vaultwarden.service b/app-admin/vaultwarden/files/vaultwarden.service index 12ba0d4..4b6cbfc 100644 --- a/app-admin/vaultwarden/files/vaultwarden.service +++ b/app-admin/vaultwarden/files/vaultwarden.service @@ -4,34 +4,47 @@ Documentation=https://github.com/dani-garcia/vaultwarden After=network.target mariadb.service mysqld.service postgresql.service [Service] +ExecStart=/usr/bin/vaultwarden +WorkingDirectory=/var/lib/vaultwarden User=vaultwarden Group=vaultwarden -Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs" -EnvironmentFile=/etc/vaultwarden.env -ExecStart=/usr/bin/vaultwarden + +# Allow vaultwarden to bind ports in the range of 0-1024 +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE + +NoNewPrivileges=yes LimitNOFILE=1048576 -LimitNPROC=256 +UMask=0077 +LimitNPROC=64 +ProtectSystem=strict +ProtectHome=true +ReadWriteDirectories=/var/lib/vaultwarden +PrivateUsers=yes PrivateTmp=true PrivateDevices=true -ProtectHome=true -ProtectSystem=strict +ProtectHostname=yes +ProtectClock=yes ProtectKernelTunables=yes ProtectKernelModules=yes +ProtectKernelLogs=yes ProtectControlGroups=yes - +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes -SystemCallArchitectures=native SystemCallFilter=@system-service -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +SystemCallFilter=~@privileged @resources +SystemCallArchitectures=native -WorkingDirectory=/var/lib/vaultwarden -ReadWriteDirectories=/var/lib/vaultwarden -# Allow vaultwarden to bind ports in the range of 0-1024 -AmbientCapabilities=CAP_NET_BIND_SERVICE -CapabilityBoundingSet=CAP_NET_BIND_SERVICE +Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs" +EnvironmentFile=/etc/vaultwarden.env [Install] WantedBy=multi-user.target |