Jobboerse/jobboerse.service

[Unit]
Description=Jobboerse Server
Documentation=https://www.fs-infmath.uni-kiel.de/git/FS-InfMath/Jobboerse
Requires=network.target
After=network.target

[Service]
Type=simple
User=jobboerse
Group=jobboerse
Restart=always
RestartSec=3
WorkingDirectory=/usr/lib/jobboerse
ExecStart=/usr/bin/jobboerse
TimeoutSec=120
# SIGINT somehow works more consistently than the default SIGTERM
# KillSignal=SIGINT
# Hardening Options below
NoNewPrivileges=yes
PrivateDevices=yes
ProtectSystem=strict
ReadWritePaths=/var/lib/jobboerse
# jobboerse should not be accepting files lager than 20 MB so this should be
# plenty for a file size limit
LimitFSIZE=100M
# NoExecPaths=/
# ExecPaths=/usr/bin/jobboerse
ProtectHome=read-only
PrivateTmp=yes
PrivateUsers=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectClock=yes
LockPersonality=yes
ProtectHostname=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_INET AF_INET6
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native
# Empty String = Empty Set
CapabilityBoundingSet=
RemoveIPC=yes
UMask=077
# e.g. Apache needs to be able to connect to the jobboerse listening socket
PrivateNetwork=no

[Install]
WantedBy=multi-user.target