45 lines
1.1 KiB
SYSTEMD
45 lines
1.1 KiB
SYSTEMD
[Unit]
|
|
Description=kiss-ftpd FTP daemon
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
StartLimitIntervalSec=0
|
|
Documentation=https://code.moparisthebest.com/moparisthebest/kiss-ftpd
|
|
Documentation=https://github.com/moparisthebest/kiss-ftpd
|
|
|
|
[Service]
|
|
ExecStart=/usr/bin/kiss-ftpd
|
|
Restart=always
|
|
RestartSec=1s
|
|
User=ftp
|
|
Group=ftp
|
|
WorkingDirectory=/srv/ftp
|
|
ReadWritePaths=/srv/ftp
|
|
Environment=KISS_FTPD_LOG_LEVEL=WARN
|
|
|
|
# anything under here isn't strictly needed, but probably good
|
|
# to lock this down with the minimal permissions necessary
|
|
# which are not many at all
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectHostname=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelLogs=true
|
|
ProtectControlGroups=true
|
|
RestrictAddressFamilies=AF_INET AF_INET6
|
|
RestrictNamespaces=net
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
RemoveIPC=true
|
|
SystemCallArchitectures=native
|
|
# these are just needed to bind to low ports
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|