get.pme.sh/pnats@v0.0.0-20240304004023-26bb5a137ed0/util/nats-server-hardened.service (about) 1 [Unit] 2 Description=NATS Server 3 After=network-online.target ntp.service 4 5 [Service] 6 Type=simple 7 ExecStart=/usr/sbin/nats-server -c /etc/nats-server.conf 8 ExecReload=/bin/kill -s HUP $MAINPID 9 ExecStop=/bin/kill -s SIGINT $MAINPID 10 User=nats 11 Group=nats 12 # The nats-server uses SIGUSR2 to trigger using Lame Duck Mode (LDM) shutdown 13 KillSignal=SIGUSR2 14 # You might want to adjust TimeoutStopSec too. 15 16 # Hardening 17 CapabilityBoundingSet= 18 # JetStream requires 2 FDs open per stream. 19 LimitNOFILE=800000 20 LockPersonality=true 21 MemoryDenyWriteExecute=true 22 NoNewPrivileges=true 23 PrivateDevices=true 24 PrivateTmp=true 25 PrivateUsers=true 26 ProcSubset=pid 27 ProtectClock=true 28 ProtectControlGroups=true 29 ProtectHome=true 30 ProtectHostname=true 31 ProtectKernelLogs=true 32 ProtectKernelModules=true 33 ProtectKernelTunables=true 34 ProtectSystem=strict 35 ReadOnlyPaths= 36 RestrictAddressFamilies=AF_INET AF_INET6 37 RestrictNamespaces=true 38 RestrictRealtime=true 39 RestrictSUIDSGID=true 40 SystemCallFilter=@system-service ~@privileged ~@resources 41 UMask=0077 42 43 # If you have systemd >= 247 44 ProtectProc=invisible 45 46 # If you have systemd >= 248 47 PrivateIPC=true 48 49 # Optional: writable directory for JetStream. 50 ReadWritePaths=/var/lib/nats 51 52 # Optional: resource control. 53 # Replace weights by values that make sense for your situation. 54 # For a list of all options see: 55 # https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html 56 #CPUAccounting=true 57 #CPUWeight=100 # of 10000 58 #IOAccounting=true 59 #IOWeight=100 # of 10000 60 #MemoryAccounting=true 61 #MemoryMax=1GB 62 #IPAccounting=true 63 64 [Install] 65 WantedBy=multi-user.target