File coturn.service of Package coturn
[Unit]
Description=STUN and TURN relay server for VoIP and WebRTC
Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
After=syslog.target network.target
[Service]
User=coturn
Group=coturn
Type=simple
EnvironmentFile=-/etc/sysconfig/coturn
PIDFile=/run/coturn/turnserver.pid
ExecStart=/usr/bin/turnserver -c /etc/coturn/turnserver.conf --pidfile /run/coturn/turnserver.pid $EXTRA_OPTIONS
Restart=on-abort
ExecReload=/bin/kill -HUP $MAINPID
# next lines allow coturn to bind to a port below 1024
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
LimitCORE=infinity
LimitNOFILE=999999
LimitNPROC=60000
LimitRTPRIO=infinity
LimitRTTIME=7000000
CPUSchedulingPolicy=other
UMask=0007
# various hardening options
ProtectSystem=strict
ReadWritePaths=/run/coturn /var/lib/coturn /var/log/coturn
LockPersonality=yes
MemoryDenyWriteExecute=yes
MountFlags=private
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictSUIDSGID=yes
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @resources @cpu-emulation @obsolete
[Install]
WantedBy=multi-user.target