Overview

File draupnir-bot.service of Package draupnir

[Unit]
Description=Draupnir - Matrix Moderation Bot
Documentation=https://the-draupnir-project.github.io/draupnir-documentation
After=matrix-synapse.service
Wants=matrix-synapse.service

ConditionFileNotEmpty=__SYSCONFDIR__/token

[Service]
AppArmorProfile=draupnir

User=draupnir
Group=draupnir
Environment=ARGS='--access-token-path __SYSCONFDIR__/token'
Environment=NODE_CONFIG_DIR=__SYSCONFDIR__
Environment=NODE_ENV=production
# https://bugzilla.opensuse.org/show_bug.cgi?id=1231020
Environment=NODE_VERSION=__NODE_VERSION__
ExecStart=/usr/bin/node __DATADIR__/lib/index.js $ARGS
SyslogIdentifier=%N

Restart=on-failure
RestartSec=30
StartLimitBurst=120

AmbientCapabilities=
CapabilityBoundingSet=
KeyringMode=private
LockPersonality=yes
MountFlags=private
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
# fsync is only needed for better-sqlite3 (for roomStateBackingStore)
SystemCallFilter=@basic-io @file-system @io-event @ipc @network-io @process @signal fsync ioctl madvise pkey_alloc sysinfo uname
UMask=027

ReadWritePaths=__HOMEDIR__

## known not compatible:
#MemoryDenyWriteExecute=yes

[Install]
WantedBy=multi-user.target
openSUSE Build Service is sponsored by
Places