systemd service unit example

[bleetube]

The readme mentions "coming soon" for the service unit, so I just wanted to share mine which works while substantially restricting system access on Ubuntu 22.04:

[Unit]
Description=Nostr relay

[Service]
User=strfry
Group=strfry
WorkingDirectory=/opt/strfry
ExecStart=/opt/bin/strfry --config=strfry.conf relay
Restart=on-failure
RestartSec=5
ProtectHome=yes
NoNewPrivileges=yes
ProtectSystem=full
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

Creating a restricted strfry user:

useradd -mb /opt -k /dev/null -s $(which nologin) strfry

For clarity, here's my paths under /opt:

├── bin
│   └── strfry
└── strfry
    ├── strfry.conf
    └── strfry-db

ProtectSystem=full requires at least systemd version 232, otherwise you should do this instead:

ProtectSystem=strict
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=yes

[hoytech]

Thank you! This looks great and pretty much what I was going to suggest too.

One other thing I usually add in production is:

LimitCORE=1000000000

Just in case there is a crash, a core dump is usually very valuable. For non-developers this is maybe not useful though, so I'm on the fence about adding that to the official suggestion.