andyklimczak · October 6, 2025 01:05 · Oct 6, 2025
diff --git a/gistfile1.txt b/gistfile1.txt
@@ -0,0 +1,56 @@
+# /etc/systemd/system/myservice.service
+[Unit]
+Description=MyService via Docker Compose
+Wants=network-online.target docker.service
+After=network-online.target docker.service
+ConditionPathExists=/home/myuser/myservice/docker-compose.yml
+AssertPathExists=/home/myuser/myservice
+
+[Service]
+Type=simple
+User=myuser
+Group=myuser
+WorkingDirectory=/home/myuser/myservice
+
+# Compose file path once, so Exec lines stay tidy
+Environment="COMPOSE_FILE=/home/myuser/myservice/docker-compose.yml"
+
+# Sanity checks and optional image refresh
+ExecStartPre=/usr/bin/docker compose version
+ExecStartPre=/usr/bin/docker compose -f ${COMPOSE_FILE} pull --quiet
+
+# Foreground so systemd tracks the process
+ExecStart=/usr/bin/docker compose -f ${COMPOSE_FILE} up
+# Graceful stop that also removes the stack's network and orphans
+ExecStop=/usr/bin/docker compose -f ${COMPOSE_FILE} down
+
+# Restart policy and timings
+Restart=on-failure
+RestartSec=5
+TimeoutStartSec=0
+TimeoutStopSec=60
+KillMode=process
+
+# Let Docker manage its own cgroups
+Delegate=yes
+
+# Hardening. Be careful not to break the Docker client talking to dockerd.
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=full
+ProtectHome=read-only
+
+# Allow writes where your app needs them
+ReadWritePaths=/home/myuser/myservice
+
+# Docker CLI talks over a Unix socket and may reach the network for pulls
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+[Install]
+WantedBy=multi-user.target
No results found