summaryrefslogtreecommitdiff
path: root/app-admin/vaultwarden/files/vaultwarden.service
diff options
context:
space:
mode:
Diffstat (limited to 'app-admin/vaultwarden/files/vaultwarden.service')
-rw-r--r--app-admin/vaultwarden/files/vaultwarden.service37
1 files changed, 37 insertions, 0 deletions
diff --git a/app-admin/vaultwarden/files/vaultwarden.service b/app-admin/vaultwarden/files/vaultwarden.service
new file mode 100644
index 0000000..12ba0d4
--- /dev/null
+++ b/app-admin/vaultwarden/files/vaultwarden.service
@@ -0,0 +1,37 @@
+[Unit]
+Description=Unofficial Bitwarden compatible server written in Rust
+Documentation=https://github.com/dani-garcia/vaultwarden
+After=network.target mariadb.service mysqld.service postgresql.service
+
+[Service]
+User=vaultwarden
+Group=vaultwarden
+Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs"
+EnvironmentFile=/etc/vaultwarden.env
+ExecStart=/usr/bin/vaultwarden
+
+LimitNOFILE=1048576
+LimitNPROC=256
+
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=strict
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+
+RestrictNamespaces=yes
+
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
+WorkingDirectory=/var/lib/vaultwarden
+ReadWriteDirectories=/var/lib/vaultwarden
+# Allow vaultwarden to bind ports in the range of 0-1024
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target