40 lines
922 B
SYSTEMD
40 lines
922 B
SYSTEMD
# /etc/systemd/system/grafana.service
|
|
[Unit]
|
|
Description=Grafana
|
|
After=nginx.service docker.service
|
|
|
|
[Service]
|
|
Delegate=no
|
|
; Restart=on-failure
|
|
Restart=always
|
|
RestartSec=10
|
|
ExecStart=/usr/bin/docker-compose -p grafana -f /etc/grafana/docker-compose.yml up
|
|
ExecStop=/usr/bin/docker-compose -p grafana -f /etc/grafana/docker-compose.yml stop
|
|
|
|
CapabilityBoundingSet=
|
|
SystemCallFilter=~memfd_create
|
|
ProtectProc=invisible
|
|
ProtectHome=true
|
|
RestrictNamespaces=uts ipc pid user cgroup
|
|
NoNewPrivileges=True
|
|
#SecureBits=noroot-locked
|
|
ProtectSystem=strict
|
|
DevicePolicy=closed
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
PrivateUsers=true
|
|
ProtectHostname=true
|
|
ProtectClock=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelLogs=true
|
|
ProtectControlGroups=true
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
SystemCallArchitectures=native
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|