andyklimczak · October 6, 2025 01:05
diff --git a/gistfile1.txt b/gistfile1.txt
 # /etc/systemd/system/myservice.service
 [Unit]
 Description=MyService via Docker Compose
 Wants=network-online.target docker.service
 After=network-online.target docker.service
 ConditionPathExists=/home/myuser/myservice/docker-compose.yml
 AssertPathExists=/home/myuser/myservice

 [Service]
 Type=simple
 User=myuser
 Group=myuser
 WorkingDirectory=/home/myuser/myservice

 # Compose file path once, so Exec lines stay tidy
 Environment="COMPOSE_FILE=/home/myuser/myservice/docker-compose.yml"

 # Sanity checks and optional image refresh
 ExecStartPre=/usr/bin/docker compose version
 ExecStartPre=/usr/bin/docker compose -f ${COMPOSE_FILE} pull --quiet

 # Foreground so systemd tracks the process
 ExecStart=/usr/bin/docker compose -f ${COMPOSE_FILE} up
 # Graceful stop that also removes the stack's network and orphans
 ExecStop=/usr/bin/docker compose -f ${COMPOSE_FILE} down

 # Restart policy and timings
 Restart=on-failure
 RestartSec=5
 TimeoutStartSec=0
 TimeoutStopSec=60
 KillMode=process

 # Let Docker manage its own cgroups
 Delegate=yes

 # Hardening. Be careful not to break the Docker client talking to dockerd.
 NoNewPrivileges=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=full
 ProtectHome=read-only

 # Allow writes where your app needs them
 ReadWritePaths=/home/myuser/myservice

 # Docker CLI talks over a Unix socket and may reach the network for pulls
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
 SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap

 [Install]
 WantedBy=multi-user.target
	# /etc/systemd/system/myservice.service
	[Unit]
	Description=MyService via Docker Compose
	Wants=network-online.target docker.service
	After=network-online.target docker.service
	ConditionPathExists=/home/myuser/myservice/docker-compose.yml
	AssertPathExists=/home/myuser/myservice

	[Service]
	Type=simple
	User=myuser
	Group=myuser
	WorkingDirectory=/home/myuser/myservice

	# Compose file path once, so Exec lines stay tidy
	Environment="COMPOSE_FILE=/home/myuser/myservice/docker-compose.yml"

	# Sanity checks and optional image refresh
	ExecStartPre=/usr/bin/docker compose version
	ExecStartPre=/usr/bin/docker compose -f ${COMPOSE_FILE} pull --quiet

	# Foreground so systemd tracks the process
	ExecStart=/usr/bin/docker compose -f ${COMPOSE_FILE} up
	# Graceful stop that also removes the stack's network and orphans
	ExecStop=/usr/bin/docker compose -f ${COMPOSE_FILE} down

	# Restart policy and timings
	Restart=on-failure
	RestartSec=5
	TimeoutStartSec=0
	TimeoutStopSec=60
	KillMode=process

	# Let Docker manage its own cgroups
	Delegate=yes

	# Hardening. Be careful not to break the Docker client talking to dockerd.
	NoNewPrivileges=yes
	PrivateTmp=yes
	ProtectControlGroups=yes
	ProtectKernelModules=yes
	ProtectKernelTunables=yes
	ProtectSystem=full
	ProtectHome=read-only

	# Allow writes where your app needs them
	ReadWritePaths=/home/myuser/myservice

	# Docker CLI talks over a Unix socket and may reach the network for pulls
	RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
	RestrictNamespaces=yes
	RestrictRealtime=yes
	SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap

	[Install]
	WantedBy=multi-user.target
No results found