-
-
Notifications
You must be signed in to change notification settings - Fork 53
69 lines (64 loc) · 2.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# A systemd Unit file to install and start etesync-dav.
#
# This Unit is for those that want to isolate the etesync-dav code from
# their system as much as possible, this is why DynamicUser and other
# isolation options are present.
# This unit is tested on systemd-245.4-4 and etesync-dav-0.16.0
# Put this file in /etc/systemd/system/[email protected] and run:
# sudo systemctl daemon-reload
# sudo systemctl restart etesync-dav@$USER
# sudo systemctl enable etesync-dav@$USER
# With the management UI at http://localhost:37358/, create your local user,
# and retrieve the url and password for your calendar client.
#
# Developer notes:
# With radicale master and libsystemd-dev will be able to use
# systemd socket activation and thus avoid race conditions at startup:
# https://github.com/Kozea/Radicale/commit/2275ba4f9323e87eeac61f8811a4cc2773061e70
# Don't use the forking mode and the --daemon flag or logs go to /dev/null.
[Unit]
Description=EteSync CalDAV and CardDAV front-end/proxy for %i
Documentation=https://github.com/etesync/etesync-dav
After=network-online.target
[Service]
UMask=022
RuntimeDirectory=%N
CacheDirectory=%N
# The pip3 install must be on a filesystem that is not mounted noexec, %t (/run) is mounted noexec
Environment=HOME=%T/%N
Environment=ETESYNC_DATA_DIR=%C/%N/data
Environment=PIP_MODULES=etesync-dav
Environment=CONFFILES="htpaswd etesync_creds"
ExecStartPre=mkdir -p -m 0700 $HOME $ETESYNC_DATA_DIR
ExecStartPre=+sh -c 'runuser -u %i -- sh -c "tar -C \\$HOME/.local/share/etesync-dav -hc $CONFFILES || tar -c --files-from /dev/null" > %t/%N/creds.tar'
ExecStartPre=tar -C ${ETESYNC_DATA_DIR} --unlink-first -f %t/%N/creds.tar -x
ExecStartPre=pip3 --cache-dir %C/%N/pip3-cache $PIP_ARGS install --no-warn-script-location $PIP_MODULES
ExecStart=%T/%N/.local/bin/etesync-dav $EXTRA_ARGS
# Some of these isolation options are from https://radicale.org/setup/
DynamicUser=true
RuntimeDirectoryPreserve=true
DevicePolicy=closed
CapabilityBoundingSet=
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictRealtime=true
# MemoryDenyWriteExecute=true
SystemCallFilter=@system-service
TemporaryFileSystem=/docker:ro /media:ro /opt:ro
InaccessiblePaths=/mnt /boot
MemoryHigh=512M
CPUQuota=90%
TasksMax=50
TimeoutStartSec=10m
Restart=on-failure
RestartSec=30min 1s
[Install]
WantedBy=multi-user.target