Initial resurrection kit — 81 scripts, 62 references, configs, systemd units, crons, Docker compose files, Caddy config, master README
This commit is contained in:
@@ -0,0 +1,64 @@
|
||||
[Unit]
|
||||
Description=Advanced key-value store
|
||||
After=network.target
|
||||
Documentation=http://redis.io/documentation, man:redis-server(1)
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --supervised systemd --daemonize no
|
||||
PIDFile=/run/redis/redis-server.pid
|
||||
TimeoutStopSec=0
|
||||
Restart=always
|
||||
User=redis
|
||||
Group=redis
|
||||
RuntimeDirectory=redis
|
||||
RuntimeDirectoryMode=2755
|
||||
|
||||
UMask=007
|
||||
PrivateTmp=true
|
||||
LimitNOFILE=65535
|
||||
PrivateDevices=true
|
||||
ProtectHome=true
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=-/var/lib/redis
|
||||
ReadWritePaths=-/var/log/redis
|
||||
ReadWritePaths=-/var/run/redis
|
||||
|
||||
CapabilityBoundingSet=
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
NoNewPrivileges=true
|
||||
PrivateUsers=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectProc=invisible
|
||||
RemoveIPC=true
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallFilter=~ @privileged @resources
|
||||
|
||||
# redis-server can write to its own config file when in cluster mode so we
|
||||
# permit writing there by default. If you are not using this feature, it is
|
||||
# recommended that you remove this line.
|
||||
ReadWriteDirectories=-/etc/redis
|
||||
|
||||
# This restricts this service from executing binaries other than redis-server
|
||||
# itself. This is really effective at e.g. making it impossible to an
|
||||
# attacker to spawn a shell on the system, but might be more restrictive
|
||||
# than desired. If you need to, you can permit the execution of extra
|
||||
# binaries by adding an extra ExecPaths= directive with the command
|
||||
# systemctl edit redis-server.service
|
||||
NoExecPaths=/
|
||||
ExecPaths=/usr/bin/redis-server /usr/lib /lib
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Alias=redis.service
|
||||
Reference in New Issue
Block a user