diff options
author | Franck Cuny <franck@fcuny.net> | 2021-10-25 10:10:42 -0700 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2022-06-11 14:32:09 -0700 |
commit | 2a354d6e9f20576d2050971fbc71f031142fc19b (patch) | |
tree | 4915123e7b261bec000070084f9d27e9dfe9e7d3 /tools | |
parent | scrobbler: read mpd status before processing song (diff) | |
download | world-2a354d6e9f20576d2050971fbc71f031142fc19b.tar.gz |
scrobbler: add a systemd unit file
As I want the scrobbler to be started automatically when I log into my session, the easiest way to do this is by having a systemd unit file that I run for my own user. The unit expects that the binary for the scrobbler is under my $GOPATH, which is hard coded for now. We also ensure that the binary exists before starting the unit. We harness the service with a number of directives.
Diffstat (limited to 'tools')
-rw-r--r-- | tools/mpd-stats/systemd/mpd-scrobbler.service | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/tools/mpd-stats/systemd/mpd-scrobbler.service b/tools/mpd-stats/systemd/mpd-scrobbler.service new file mode 100644 index 0000000..7990208 --- /dev/null +++ b/tools/mpd-stats/systemd/mpd-scrobbler.service @@ -0,0 +1,43 @@ +[Unit] +Description=mpd scrobbler +Documentation=https://git.fcuny.net/fcuny/mpd-stats +ConditionFileIsExecutable=%h/workspace/go/bin/mpd-scrobbler + +[Service] +ExecStart=%h/workspace/go/bin/mpd-scrobbler +Restart=on-failure + +PrivateTmp=yes +ProtectSystem=strict +NoNewPrivileges=yes +ProtectHome=yes + +# Prohibit access to any kind of namespacing: +RestrictNamespaces=yes + +# Make cgroup file system hierarchy inaccessible: +ProtectControlGroups=yes + +# Deny access to other user’s information in /proc: +ProtectProc=invisible + +# Only allow access to /proc pid files, no other files: +ProcSubset=pid + +# This daemon must not create any new files, but set the umask to 077 just in case. +UMask=077 + +# Filter dangerous system calls. The following is listed as safe basic choice +# in systemd.exec(5): +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged +SystemCallFilter=~@resources +SystemCallErrorNumber=EPERM + +# Deny kernel execution domain changing: +LockPersonality=yes + +# Deny memory mappings that are writable and executable: +MemoryDenyWriteExecute=yes + |