Markus Zehnder
54f34def2c
The sysinfo name was too generic and misleading. This tool provides sensor values from the system for `asterctl` and is not a generic system information tool.
45 lines
1.1 KiB
Desktop File
45 lines
1.1 KiB
Desktop File
[Unit]
|
|
Description=Daemon for gathering sensor values for asterctl
|
|
After=local-fs.target
|
|
|
|
[Service]
|
|
Type=exec
|
|
DynamicUser=true
|
|
|
|
# Use /run/asterctl directory for writing sensor file
|
|
RuntimeDirectory=asterctl
|
|
#Logging configuration
|
|
#Environment=RUST_LOG=debug
|
|
ExecStart=/usr/local/bin/aster-sysinfo --out /run/asterctl/sensors/sysinfo.txt --temp-dir /run/asterctl --refresh 3
|
|
# Created files are world-readable
|
|
UMask=002
|
|
|
|
# Lock down service, remove single entries or whole section if metrics gathering doesn't work
|
|
# START lock down
|
|
CapabilityBoundingSet=
|
|
LockPersonality=true
|
|
RestrictNamespaces=true
|
|
ProtectHome=true
|
|
ProtectSystem=strict
|
|
NoNewPrivileges=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelLogs=true
|
|
ProtectControlGroups=true
|
|
MemoryDenyWriteExecute=true
|
|
RestrictSUIDSGID=true
|
|
KeyringMode=private
|
|
ProtectClock=true
|
|
RestrictRealtime=true
|
|
PrivateTmp=true
|
|
PrivateUsers=true
|
|
ProtectHostname=true
|
|
RestrictAddressFamilies=none
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@privileged @resources
|
|
SystemCallErrorNumber=EPERM
|
|
# END lock down
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|