From 3ff1fe54a90ac347ed339e0a9a12166ff6e596d8 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 14 May 2022 16:11:11 -0400
Subject: [PATCH] add mjolnir systemd unit

---
 systemd/system/mjolnir.service | 41 ++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 systemd/system/mjolnir.service

diff --git a/systemd/system/mjolnir.service b/systemd/system/mjolnir.service
new file mode 100644
index 0000000..735014b
--- /dev/null
+++ b/systemd/system/mjolnir.service
@@ -0,0 +1,41 @@
+[Unit]
+Description=mjolnir bot
+After=synapse.service
+
+[Service]
+CapabilityBoundingSet=
+ExecStart=/usr/bin/node /opt/mjolnir/lib/index.js
+IPAddressDeny=any
+IPAddressAllow=localhost
+LockPersonality=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/var/lib/mjolnir
+Restart=on-failure
+RestartSec=5s
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service pkey_mprotect pkey_alloc pkey_free
+SystemCallFilter=~@privileged @resources @obsolete
+UMask=0077
+User=mjolnir
+WorkingDirectory=/var/lib/mjolnir
+
+[Install]
+WantedBy=multi-user.target