# Systemd unit file for librespeed-go. The defaults below are suitable for # running all configurations in a medium-security environment. See comments # below for addtional caveats - particularly those labelled "IMPORTANT". # You can edit this file, or alternatively you may prefer to use systemd's # "override" mechanisms, to avoid editing this file e.g. using: # systemctl edit librespeed.service [Unit] Description=LibreSpeed Server After=syslog.target network-online.target # Default to using socket activation (see accompanying socket unit file to # configure the bind address etc.). #Requires=librespeed.socket #After=librespeed.socket [Service] Type=simple # The paths to the installed binary and configuration file: ExecStart=/usr/bin/librespeed -c /etc/librespeed/settings.toml WorkingDirectory=/var/lib/librespeed Restart=on-failure #RestartSec=5 # IMPORTANT! # If you use a database file (not server), then you will need to disable the # DynamicUser setting, and manually create the UNIX user and group specified # below, to ensure the file is accessible across multiple invocations of the # service. #DynamicUser=true # You may prefer to use a different user or group name on your system. User=librespeed Group=librespeed # The following options will work for all configurations, but are not the # most secure, so you are advised to customise them as described below: # If NOT using socket activation, or if using socket activation AND # connecting to an external database server (MySQL, postgres) via TCP: RestrictAddressFamilies=AF_INET AF_INET6 # If connecting to an external database via unix domain sockets (MySQL # default to this mode of operation): RestrictAddressFamilies=AF_UNIX # If using 'none', 'memory', or 'bolt' database types, and socket activation # then the process will not need to bind to any new sockets, so we can remove # the earlier AF_UNIX option again. In systemd versions before 249 this is # the only way to say "Restrict the use of all address families": RestrictAddressFamilies=AF_UNIX RestrictAddressFamilies=~AF_UNIX # ...in systemd version 249 and later, we can instead use the much clearer: #RestrictAddressFamilies=none # The following options are available (in systemd v247) to restrict the # actions of the librespeed server for reasons of increased security. # As a whole, the purpose of these are to provide an additional layer of # security by mitigating any unknown security vulnerabilities which may exist # in librespeed or in the libraries, tools and operating system components # which it relies upon. # IMPORTANT! # The following line must be customised to your individual requirements. # e.g. if using the 'bolt' in-process database type: ReadWritePaths=/var/lib/librespeed # Makes created files group-readable, but inaccessible by others UMask=027 # Many of the following options are desribed in the systemd.resource-control(5) # manual page. # The following may be useful in your environment: #IPAddressDeny= #IPAddressAllow= #IPAccounting=true #IPIngressFilterPath= #SocketBindAllow= # If your system doesn't support all of the features below (e.g. because of # the use of a version of systemd older than 247), you may need to comment-out # some of the following lines. # n.b. It may be possible to further restrict librespeed, but this is a good # start, and will guard against many potential zero-day vulnerabilities. # See the output of `systemd-analyze security librespeed.service` for further # opportunities. Patches welcome! CapabilityBoundingSet= LockPersonality=true MemoryDenyWriteExecute=true NoNewPrivileges=yes PrivateTmp=yes PrivateDevices=true PrivateUsers=true ProtectSystem=strict ProtectHome=yes ProtectClock=true ProtectControlGroups=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true ProtectProc=invisible ProtectHostname=true RemoveIPC=true RestrictNamespaces=true RestrictSUIDSGID=true RestrictRealtime=true SystemCallArchitectures=native SystemCallFilter=@system-service # Additionally, you may wish to use some of the systemd options documented in # systemd.resource-control(5) to limit the CPU, memory, file-system I/O and # network I/O that the librespeed server is permitted to consume according to # the individual requirements of your installation. #CPUQuota=25% #MemoryMax=bytes #MemorySwapMax=bytes #TasksMax=N #IOReadBandwidthMax=device bytes #IOWriteBandwidthMax=device bytes #IOReadIOPSMax=device IOPS, IOWriteIOPSMax=device IOPS #IPAccounting=true #IPAddressAllow= [Install] WantedBy=multi-user.target