-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathsnapraidd.service.in
More file actions
69 lines (60 loc) · 2.55 KB
/
snapraidd.service.in
File metadata and controls
69 lines (60 loc) · 2.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
[Unit]
Description=SnapRAID Daemon
Documentation=https://www.snapraid.it
# Ensures data/parity disks are mounted before starting.
# Waits until all interfaces are fully configured with their IP addresses
# assigned. This works regardless of whether the daemon is configured to bind
# to all interfaces (0.0.0.0), a specific interface, or a specific IP address.
After=local-fs.target network-online.target
Wants=local-fs.target network-online.target
[Service]
Type=forking
PIDFile=/run/snapraidd.pid
ExecStart=@bindir@/snapraidd
ExecReload=/bin/kill -HUP $MAINPID
# Automatically restart the daemon if it crashes
Restart=on-failure
RestartSec=5
# Resource Management:
# SnapRAID is I/O heavy; these ensure it doesn't lag the system
Nice=19
IOSchedulingClass=idle
# --- SECURITY & HARDENING ---
# The daemon runs as root so that the 'snapraid' child process it spawns
# has the necessary block-level access to parity/data disks.
User=root
Group=root
# NoNewPrivileges=no allows child processes to gain privileges via
# SetUID/SetGID bits. This is required if the daemon needs to execute
# system-level mailers like 'postfix' or 'sendmail', which rely on these
# bits to write to the mail queue.
#
# HARDENING OPTIONS:
# 1. If you do not use SetUID tools (e.g., you use user-level tools like
# 'msmtp', 'ssmtp', or 'curl' for emails), you can set 'NoNewPrivileges=yes'
# to further restrict the process and its children from gaining privileges.
NoNewPrivileges=no
# ProtectHome=no is the default to ensure the 'snapraid' child can access
# data disks mounted under /home or restore files to user directories.
#
# HARDENING OPTIONS:
# 1. If your data/content files are NOT in /home:
# Set 'ProtectHome=yes' to completely hide /home from the daemon.
#
# 2. If your data is in /home but you want to restrict write access:
# Set 'ProtectHome=read-only' to make all of /home visible but
# immutable to the daemon, then use 'ReadWritePaths=' to carve out
# write access only where SnapRAID needs it.
# Example:
# ProtectHome=read-only
# ReadWritePaths=/home/user/storage /home/user/snapraid.content
ProtectHome=no
# ProtectSystem=full makes /usr, /boot, and /etc read-only for this service.
# This prevents the daemon from modifying the core OS configuration.
# To allow the daemon to update its own configuration while keeping the
# rest of /etc protected, we explicitly grant write access to the config file.
ProtectSystem=full
ReadWritePaths=@readwritepaths@
[Install]
# Start automatically when the system reaches the standard multi-user state
WantedBy=multi-user.target