48 lines
1.0 KiB
Django/Jinja
48 lines
1.0 KiB
Django/Jinja
[Unit]
|
|
Description=Victoria Logs
|
|
Wants=network.target
|
|
After=network.target
|
|
StartLimitIntervalSec=1s
|
|
StartLimitBurst=1
|
|
|
|
[Container]
|
|
Image={{ victoria_logs_container_image }}
|
|
Pull=never
|
|
Exec={{ victoria_logs_args | join(' ') }}
|
|
User={{ victoria_logs_user.uid }}
|
|
Group={{ victoria_logs_user.group }}
|
|
Volume=%S/%p:/data:rw,z,U
|
|
NoNewPrivileges=yes
|
|
ReadOnly=yes
|
|
ReadOnlyTmpfs=yes
|
|
AddCapability=CAP_NET_BIND_SERVICE
|
|
PublishPort=9428:9428
|
|
{% for portspec in victoria_logs_publish_ports %}
|
|
PublishPort={{ portspec }}
|
|
{% endfor %}
|
|
HealthCmd=/usr/bin/wget -q -O /dev/null 127.0.0.1:9428/health
|
|
HealthInterval=1m
|
|
HealthOnFailure=stop
|
|
|
|
[Service]
|
|
StateDirectory=%p
|
|
Restart=always
|
|
RestartSec=1
|
|
MemoryDenyWriteExecute=yes
|
|
PrivateTmp=yes
|
|
ProtectClock=yes
|
|
ProtectHome=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectProc=invisible
|
|
ProtectSystem=strict
|
|
ReadWritePaths=%S/%p
|
|
ReadWritePaths=%S/containers/storage
|
|
ReadWritePaths=%t
|
|
ReadWritePaths=/etc/containers/networks
|
|
RestrictRealtime=yes
|
|
UMask=0077
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|