| Jan Kundrát | a6b3f5a | 2020-01-29 19:27:28 +0100 | [diff] [blame^] | 1 | # CzechLight-specific configuration: |
| 2 | # |
| 3 | # - do not record a failed unit when that thing dies (likely due to a network issue) |
| 4 | # - only start when a custom config file exists |
| 5 | # - do not bring in a network-online.target because that might trigger |
| 6 | # extra failure reports (and a watchdog action) |
| 7 | # - keep retrying upon failure(s) |
| 8 | |
| 9 | [Unit] |
| 10 | Description=Journal Remote Upload Service |
| 11 | |
| 12 | [Service] |
| 13 | DynamicUser=yes |
| 14 | LockPersonality=yes |
| 15 | MemoryDenyWriteExecute=yes |
| 16 | PrivateDevices=yes |
| 17 | ProtectControlGroups=yes |
| 18 | ProtectHome=yes |
| 19 | ProtectHostname=yes |
| 20 | ProtectKernelModules=yes |
| 21 | ProtectKernelTunables=yes |
| 22 | RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 |
| 23 | RestrictNamespaces=yes |
| 24 | RestrictRealtime=yes |
| 25 | StateDirectory=systemd/journal-upload |
| 26 | SupplementaryGroups=systemd-journal |
| 27 | SystemCallArchitectures=native |
| 28 | User=systemd-journal-upload |
| 29 | WatchdogSec=3min |
| 30 | LimitNOFILE=524288 |
| 31 | |
| 32 | # - ignore failures |
| 33 | # - read (one) location from the env file |
| 34 | ExecStart=-/usr/lib/systemd/systemd-journal-upload --save-state --url=${DESTINATION} |
| 35 | EnvironmentFile=-/cfg/journald-remote |
| 36 | |
| 37 | # run forever and ignore any network issues |
| 38 | Restart=always |
| 39 | RestartSec=5 |
| 40 | |
| 41 | [Unit] |
| 42 | # shared as an env file |
| 43 | ConditionFileNotEmpty=/cfg/journald-remote |