Remove comments from service files

deploy/bitcoind.service

@@ -1,70 +1,34 @@
 [Unit]
+After=network-online.target
 Description=Bitcoin daemon
 Documentation=https://github.com/bitcoin/bitcoin/blob/master/doc/init.md
-
-# https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
-After=network-online.target
 Wants=network-online.target
 
 [Service]
+ConfigurationDirectory=bitcoin
+ConfigurationDirectoryMode=0710
 ExecStart=/usr/local/bin/bitcoind \
   -datadir=/var/lib/bitcoind \
   -chain=${CHAIN} \
   -txindex
-
-# Make sure the config directory is readable by the service user
-PermissionsStartOnly=true
 ExecStartPre=/bin/chgrp bitcoin /etc/bitcoin
-
-# Process management
-####################
-
-Type=simple
-Restart=on-failure
-TimeoutStartSec=infinity
-TimeoutStopSec=600
-
-# Directory creation and permissions
-####################################
-
-# Run as bitcoin:bitcoin
-User=bitcoin
 Group=bitcoin
-
-# /run/bitcoind
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PermissionsStartOnly=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=full
+Restart=on-failure
 RuntimeDirectory=bitcoind
 RuntimeDirectoryMode=0710
-
-# /etc/bitcoin
-ConfigurationDirectory=bitcoin
-ConfigurationDirectoryMode=0710
-
-# /var/lib/bitcoind
 StateDirectory=bitcoind
 StateDirectoryMode=0710
-
-# Hardening measures
-####################
-
-# Provide a private /tmp and /var/tmp.
-PrivateTmp=true
-
-# Mount /usr, /boot/ and /etc read-only for the process.
-ProtectSystem=full
-
-# Deny access to /home, /root and /run/user
-ProtectHome=true
-
-# Disallow the process and all of its children to gain
-# new privileges through execve().
-NoNewPrivileges=true
-
-# Use a new /dev namespace only populated with API pseudo devices
-# such as /dev/null, /dev/zero and /dev/random.
-PrivateDevices=true
-
-# Deny the creation of writable and executable memory mappings.
-MemoryDenyWriteExecute=true
+TimeoutStartSec=infinity
+TimeoutStopSec=600
+Type=simple
+User=bitcoin
 
 [Install]
 WantedBy=multi-user.target

deploy/ord.service

@@ -6,7 +6,6 @@ StartLimitIntervalSec=10m
 
 [Service]
 AmbientCapabilities=CAP_NET_BIND_SERVICE
-WorkingDirectory=/var/lib/ord
 Environment=RUST_BACKTRACE=1
 Environment=RUST_LOG=info
 ExecStart=/usr/local/bin/ord \
@@ -17,47 +16,21 @@ ExecStart=/usr/local/bin/ord \
   server \
   --acme-contact mailto:[email protected] \
   --https-port 443
-
-# Process management
-####################
-
-Type=simple
+Group=ord
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=full
 Restart=on-failure
-TimeoutStopSec=10m
 RestartSec=5s
-
-# Directory creation and permissions
-####################################
-
-User=ord
-Group=ord
-
-# /var/lib/ord
 StateDirectory=ord
 StateDirectoryMode=0700
-
-# Hardening measures
-####################
-
-# Provide a private /tmp and /var/tmp.
-PrivateTmp=true
-
-# Mount /usr, /boot/ and /etc read-only for the process.
-ProtectSystem=full
-
-# Deny access to /home, /root and /run/user
-ProtectHome=true
-
-# Disallow the process and all of its children to gain
-# new privileges through execve().
-NoNewPrivileges=true
-
-# Use a new /dev namespace only populated with API pseudo devices
-# such as /dev/null, /dev/zero and /dev/random.
-PrivateDevices=true
-
-# Deny the creation of writable and executable memory mappings.
-MemoryDenyWriteExecute=true
+TimeoutStopSec=10m
+Type=simple
+User=ord
+WorkingDirectory=/var/lib/ord
 
 [Install]
 WantedBy=multi-user.target