copr-matrix-synapse/synapse@.service

71 lines
1.4 KiB
SYSTEMD
Raw Normal View History

2021-06-29 15:56:13 +00:00
[Unit]
Description=Synapse Worker %i
AssertPathExists=/etc/synapse/workers/%i.yaml
# This service should be restarted when the synapse target is restarted.
#PartOf=synapse.target
#ReloadPropagatedFrom=synapse.target
# if this is started at the same time as the main, let the main process start
# first, to initialise the database schema.
After=synapse.service
[Service]
Type=notify
NotifyAccess=main
User=synapse
WorkingDirectory=/var/lib/synapse
2022-01-04 20:23:26 +00:00
ExecStart=/usr/bin/synapse_worker --config-path=/etc/synapse/homeserver.yaml --config-path=/etc/synapse/workers/%i.yaml
2021-06-29 15:56:13 +00:00
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=3
SyslogIdentifier=synapse-%i
Environment="LD_PRELOAD=/usr/lib64/libjemalloc.so.2"
CPUAccounting=on
MemoryAccounting=on
MemoryHigh=500M
MemoryMax=1G
MemorySwapMax=1G
CPUWeight=75
PrivateTmp=yes
PrivateDevices=true
PrivateUsers=true
CapabilityBoundingSet=
AmbientCapabilities=
DevicePolicy=closed
ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectClock=true
ProtectKernelLogs=yes
ProtectHostname=true
ProtectProc=invisible
ProcSubset=pid
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
NoNewPrivileges=yes
LockPersonality=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @obsolete
RemoveIPC=true
[Install]
WantedBy=multi-user.target