Skip to content

Instantly share code, notes, and snippets.

@iccir

iccir/example.service

Created September 6, 2025 17:12
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save iccir/72f9d6c11489e33c50de8addfff32fae to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save iccir/72f9d6c11489e33c50de8addfff32fae to your computer and use it in GitHub Desktop.
Download ZIP
systemd config for nodejs webapp
Raw
example.service
#
# Run a nodejs webapp in a systemd sandbox
#
# - Needs network I/O to localhost
# - Needs the ability to send mail via sendmail
#
[Unit]
Description=Example Service
After=network.target
[Service]
Type=simple
User=exampleuser
ExecStart=/usr/bin/node /webapps/example/source/src/app.js
Restart=always
StandardOutput=journal
StandardError=journal
SyslogIdentifier=example
Environment=PATH=/usr/bin:/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
Environment=BASE=/webapps/example
Environment=PORT=3020
Environment=NODE_ENV=production
Environment=DEBUG=""
# Run in chroot jail
TemporaryFileSystem=/:ro
PrivateTmp=true
BindReadOnlyPaths=/dev /etc /lib /lib64 /proc /sys /sbin /usr/sbin /var
BindReadOnlyPaths=/usr/bin /usr/lib /usr/lib64 /usr/share /usr/libexec
BindReadOnlyPaths=/usr/bin/node
BindReadOnlyPaths=/usr/sbin/sendmail
BindReadOnlyPaths=/usr/sbin/sendmail-mta
BindPaths=/var/spool
BindPaths=/webapps/example
# Restrict networking to localhost
IPAddressDeny=any
IPAddressAllow=127.0.0.1
IPAddressAllow=::1
RestrictAddressFamilies=AF_INET AF_INET6
# Additional sandboxing flags
LockPersonality=true
PrivateDevices=true
PrivateTmp=true
ProcSubset=pid
ProtectKernelModules=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectProc=invisible
RemoveIPC=true
RestrictNamespaces=true
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment