knadh/listmonk
1
1
Fork 0
mirror of https://github.com/knadh/listmonk.git synced 2024-09-20 07:16:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge e352e0d4d6 into 550cd3e1f8

Browse source
This commit is contained in:
MaximilianKohler 2024-09-09 22:27:09 -04:00 committed by GitHub
parent 550cd3e1f8 e352e0d4d6
commit 6ce70fd279
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 25 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
listmonk@.service
View file

@ -1,3 +1,6 @@
# This service template is designed to have the ability to run more than one instance of listmonk with different configurations but the same service unit.
# It may not work with older OS's with older systemd versions.
[Unit]
Description=listmonk mailing list and newsletter manager (%I)
ConditionPathExists=/etc/listmonk/%i.toml
@ -8,12 +11,23 @@ After=postgresql.service
[Service]
Type=simple
PermissionsStartOnly=true
EnvironmentFile=-/etc/default/listmonk
EnvironmentFile=-/etc/default/listmonk-%i
ExecStartPre=/usr/bin/mkdir -p "${HOME}/uploads"
ExecStartPre=/usr/bin/mkdir -p "/etc/listmonk/uploads"
ExecStartPre=/usr/bin/listmonk --config /etc/listmonk/%i.toml --upgrade --yes
ExecStart=/usr/bin/listmonk --config /etc/listmonk/%i.toml $SYSTEMD_LISTMONK_ARGS
TimeoutStopSec=10
Restart=on-failure
RestartSec=5
# To enable a static dir, add the following
# --static-dir /etc/listmonk/static
# to the end of the ExecStart line above after creating the dir and fetching the files with:
# mkdir -p /etc/listmonk/static ; wget -O - https://github.com/knadh/listmonk/archive/master.tar.gz | tar xz -C /etc/listmonk/static --strip=2 "listmonk-master/static"
# To enable a log file that persists after restarts, replace the ExecStart= line with:
# ExecStart=/bin/bash -ce "exec /usr/bin/listmonk --config /etc/listmonk/config.toml --static-dir /etc/listmonk/static >>/etc/listmonk/listmonk.log 2>&1"
# Create dynamic users for listmonk service instances
# but create a state directory for uploads in /var/lib/private/%i.
@ -32,20 +46,27 @@ NoNewPrivileges=True
CapabilityBoundingSet=
# listmonk only executes native code with no need for any other ABIs.
SystemCallArchitectures=native
# Only enable a reasonable set of system calls.
# see: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
# may give dump error https://mumaritc.hashnode.dev/how-to-install-listmonk-using-binary-on-ubuntu-2204
# SystemCallFilter=@system-service
# SystemCallFilter=~@privileged
# ProtectSystem=strict, which is implied by DynamicUser=True, already disabled write calls
# to the entire filesystem hierarchy, leaving only /dev/, /proc/, and /sys/ writable.
# listmonk doesnt need access to those so might as well disable them.
PrivateDevices=True
ProtectControlGroups=True
ProtectKernelTunables=True
# Make /home/, /root/, and /run/user/ inaccessible.
# If you set ExecStartPre=/usr/bin/mkdir -p "listmonk/uploads" to a directory in /home/ or /root/ it will cause uploads to fail
# See https://github.com/knadh/listmonk/issues/843#issuecomment-1836023524
ProtectHome=True
# listmonk doesnt handle any specific device nodes.
DeviceAllow=False
DevicePolicy=closed
# listmonk doesnt make use of linux namespaces.
RestrictNamespaces=True
# listmonk doesnt need realtime scheduling.