matrix/roles/synapse/defaults/main/systemd.yml

54 lines
1.9 KiB
YAML
Raw Normal View History

---
synapse_systemd_name: "synapse.service"
synapse_systemd_service_directory: /etc/systemd/system
synapse_systemd_service_file: >-2
{{ synapse_systemd_service_directory }}/{{ synapse_systemd_name }}
synapse_systemd_state: >-2
{{ (synapse_state == 'present') | ternary('started', 'stopped') }}
synapse_systemd_enabled: >-2
{{ (synapse_state == 'present') | bool }}
synapse_systemd_unit_description: "Synapse matrix homeserver"
synapse_systemd_service_type: notify
synapse_systemd_service_exec_start: >-2
{{ synapse_venv_path }}/bin/synapse_homeserver \
--config-path={{ synapse_homeserver_config_file }}
synapse_systemd_service_exec_stop: >-2
{{ synapse_venv_path }}/bin/synctl \
stop {{ synapse_homeserver_config_file }}
synapse_systemd_service_exec_reload: >-2
/usr/bin/env kill -HUP $MAINPID
synapse_systemd_service_restart: on-failure
synapse_systemd_unit_after:
- "network.target"
synapse_systemd_unit_wants: []
synapse_systemd_install_wanted_by: "default.target"
# Hardening
synapse_systemd_service_read_write_paths:
- "{{ synapse_base_path }}"
- "{{ synapse_data_path }}"
- "{{ synapse_media_store_path }}"
- "{{ synapse_log_path }}"
synapse_systemd_service_restrict_address_families:
- "AF_INET"
- "AF_INET6"
- "AF_UNIX"
synapse_systemd_service_protect_system: strict
synapse_systemd_service_protect_home: true
synapse_systemd_service_protect_clock: true
synapse_systemd_service_protect_hostname: true
synapse_systemd_service_protect_protect_kernel_logs: true
synapse_systemd_service_protect_protect_kernel_modules: true
synapse_systemd_service_protect_protect_kernel_tunables: true
synapse_systemd_service_protect_protect_control_groups: true
synapse_systemd_service_restrict_namespaces: true
synapse_systemd_service_restrict_suid_sgid: true
synapse_systemd_service_remove_ipc: true
synapse_systemd_service_lock_personality: true
synapse_systemd_service_no_new_privileges: true