diff --git a/contrib/systemd/watchdog.service b/contrib/systemd/watchdog.service new file mode 100644 index 0000000..195db0b --- /dev/null +++ b/contrib/systemd/watchdog.service @@ -0,0 +1,53 @@ +[Unit] +Description=Watchdog Privacy Analytics +Documentation=https://github.com/notashelf/watchdog +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +User=watchdog +Group=watchdog + +ExecStart=watchdog -config /etc/watchdog/config.yaml + +Restart=on-failure +RestartSec=5s + +# State directory for HLL persistence +StateDirectory=watchdog +WorkingDirectory=/var/lib/watchdog + +# Security hardening +NoNewPrivileges=true +PrivateTmp=true + +# File system protections +ProtectSystem=strict +ProtectHome=true +ReadWritePaths=/var/lib/watchdog + +# Capabilities +AmbientCapabilities= +CapabilityBoundingSet= + +# Sandboxing +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true + +# System call filtering +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/contrib/systemd/watchdog.sysusers b/contrib/systemd/watchdog.sysusers new file mode 100644 index 0000000..bf9fdf8 --- /dev/null +++ b/contrib/systemd/watchdog.sysusers @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u watchdog - "Watchdog Analytics" /var/lib/watchdog /usr/sbin/nologin diff --git a/contrib/systemd/watchdog.tmpfiles b/contrib/systemd/watchdog.tmpfiles new file mode 100644 index 0000000..d14dad8 --- /dev/null +++ b/contrib/systemd/watchdog.tmpfiles @@ -0,0 +1,3 @@ +#Type Path Mode User Group Age Argument +d /var/lib/watchdog 0750 watchdog watchdog - - +d /etc/watchdog 0755 root root - -