diff options
Diffstat (limited to 'app-admin/vaultwarden/files/vaultwarden.service')
-rw-r--r-- | app-admin/vaultwarden/files/vaultwarden.service | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/app-admin/vaultwarden/files/vaultwarden.service b/app-admin/vaultwarden/files/vaultwarden.service new file mode 100644 index 0000000..12ba0d4 --- /dev/null +++ b/app-admin/vaultwarden/files/vaultwarden.service @@ -0,0 +1,37 @@ +[Unit] +Description=Unofficial Bitwarden compatible server written in Rust +Documentation=https://github.com/dani-garcia/vaultwarden +After=network.target mariadb.service mysqld.service postgresql.service + +[Service] +User=vaultwarden +Group=vaultwarden +Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs" +EnvironmentFile=/etc/vaultwarden.env +ExecStart=/usr/bin/vaultwarden + +LimitNOFILE=1048576 +LimitNPROC=256 + +PrivateTmp=true +PrivateDevices=true +ProtectHome=true +ProtectSystem=strict +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes + +RestrictNamespaces=yes + +SystemCallArchitectures=native +SystemCallFilter=@system-service +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 + +WorkingDirectory=/var/lib/vaultwarden +ReadWriteDirectories=/var/lib/vaultwarden +# Allow vaultwarden to bind ports in the range of 0-1024 +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE + +[Install] +WantedBy=multi-user.target |