2024-06-23 18:32:40 -04:00
|
|
|
[Unit]
|
|
|
|
|
Description=CollabVM AnyOS bot
|
|
|
|
|
|
|
|
|
|
Wants=collabvmts@vm7.service
|
|
|
|
|
#Wants=collabvm@vm8.service
|
|
|
|
|
After=network.target
|
|
|
|
|
|
|
|
|
|
[Service]
|
|
|
|
|
User=collabvm
|
|
|
|
|
Group=collabvm
|
|
|
|
|
Type=simple
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
WorkingDirectory=/srv/collabvm/anyos-bot-new-new
|
2024-06-23 19:35:40 -04:00
|
|
|
ExecStart=/bin/node dist/index.js --max-old-space-size=1024 --use-largepages=on
|
2024-06-23 18:32:40 -04:00
|
|
|
|
|
|
|
|
# Hardening
|
|
|
|
|
PrivateTmp=yes
|
|
|
|
|
NoNewPrivileges=true
|
|
|
|
|
RestrictNamespaces=uts ipc pid user cgroup
|
|
|
|
|
|
|
|
|
|
# bleh
|
|
|
|
|
CPUQuota=50%
|
|
|
|
|
MemoryHigh=512M
|
|
|
|
|
MemoryMax=1G
|
|
|
|
|
|
|
|
|
|
ProtectKernelTunables=yes
|
|
|
|
|
ProtectKernelModules=yes
|
|
|
|
|
ProtectControlGroups=yes
|
|
|
|
|
PrivateDevices=yes
|
|
|
|
|
RestrictSUIDSGID=true
|
|
|
|
|
|
|
|
|
|
# avoids funny business
|
|
|
|
|
Restart=always
|
|
|
|
|
RestartSec=10
|
|
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
|
WantedBy=multi-user.target
|
