64 lines
1.7 KiB
Desktop File
64 lines
1.7 KiB
Desktop File
[Unit]
|
|
Description=Mnemosyne Telegram bot (webhook receiver)
|
|
Documentation=https://git.castlehollow.com/rodger/mnemosyne
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=mnemosyne
|
|
Group=mnemosyne
|
|
WorkingDirectory=/opt/mnemosyne
|
|
|
|
ExecStart=/usr/bin/perl /opt/mnemosyne/bin/mnemosyne-bot \
|
|
--config /etc/mnemosyne/mnemosyne.conf
|
|
|
|
Restart=always
|
|
RestartSec=5
|
|
# Cap restart rate: no more than 5 restarts in 60 seconds
|
|
StartLimitBurst=5
|
|
StartLimitIntervalSec=60
|
|
|
|
# Logging
|
|
StandardOutput=journal
|
|
StandardError=journal
|
|
SyslogIdentifier=mnemosyne-bot
|
|
|
|
# ── Hardening ────────────────────────────────────────────────────────────────
|
|
# Prevent privilege escalation
|
|
NoNewPrivileges=true
|
|
|
|
# Private /tmp — isolates temp files from other services
|
|
PrivateTmp=true
|
|
|
|
# Read-only /usr, /boot, /etc (except the config dir we explicitly allow)
|
|
ProtectSystem=strict
|
|
# The bot needs to write the SQLite database; allow the data dir
|
|
ReadWritePaths=/var/lib/mnemosyne
|
|
|
|
# No access to home directories
|
|
ProtectHome=true
|
|
|
|
# Prevent writing to kernel tunables
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelLogs=true
|
|
ProtectControlGroups=true
|
|
|
|
# Restrict address families: only IPv4/IPv6 (outbound Telegram API) + Unix sockets
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
|
|
# Syscall filtering — Perl/DBI only needs the basics
|
|
SystemCallFilter=@system-service
|
|
SystemCallErrorNumber=EPERM
|
|
|
|
# No realtime scheduling, no raw I/O, no device access
|
|
RestrictRealtime=true
|
|
PrivateDevices=true
|
|
|
|
# Tighten /proc view
|
|
ProtectProc=invisible
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|