From 16ace569a099130c9631db3a5b2547e1bc9864dc Mon Sep 17 00:00:00 2001 From: NotAShelf Date: Sun, 1 Mar 2026 14:26:45 +0300 Subject: [PATCH] meta: provide systemd template files Signed-off-by: NotAShelf Change-Id: I2ed3bcfa3e0f58685a883a301c898ee86a6a6964 --- contrib/systemd/watchdog.service | 53 +++++++++++++++++++++++++++++++ contrib/systemd/watchdog.sysusers | 2 ++ contrib/systemd/watchdog.tmpfiles | 3 ++ 3 files changed, 58 insertions(+) create mode 100644 contrib/systemd/watchdog.service create mode 100644 contrib/systemd/watchdog.sysusers create mode 100644 contrib/systemd/watchdog.tmpfiles diff --git a/contrib/systemd/watchdog.service b/contrib/systemd/watchdog.service new file mode 100644 index 0000000..195db0b --- /dev/null +++ b/contrib/systemd/watchdog.service @@ -0,0 +1,53 @@ +[Unit] +Description=Watchdog Privacy Analytics +Documentation=https://github.com/notashelf/watchdog +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +User=watchdog +Group=watchdog + +ExecStart=watchdog -config /etc/watchdog/config.yaml + +Restart=on-failure +RestartSec=5s + +# State directory for HLL persistence +StateDirectory=watchdog +WorkingDirectory=/var/lib/watchdog + +# Security hardening +NoNewPrivileges=true +PrivateTmp=true + +# File system protections +ProtectSystem=strict +ProtectHome=true +ReadWritePaths=/var/lib/watchdog + +# Capabilities +AmbientCapabilities= +CapabilityBoundingSet= + +# Sandboxing +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true +PrivateMounts=true + +# System call filtering +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/contrib/systemd/watchdog.sysusers b/contrib/systemd/watchdog.sysusers new file mode 100644 index 0000000..bf9fdf8 --- /dev/null +++ b/contrib/systemd/watchdog.sysusers @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u watchdog - "Watchdog Analytics" /var/lib/watchdog /usr/sbin/nologin diff --git a/contrib/systemd/watchdog.tmpfiles b/contrib/systemd/watchdog.tmpfiles new file mode 100644 index 0000000..d14dad8 --- /dev/null +++ b/contrib/systemd/watchdog.tmpfiles @@ -0,0 +1,3 @@ +#Type Path Mode User Group Age Argument +d /var/lib/watchdog 0750 watchdog watchdog - - +d /etc/watchdog 0755 root root - -