From 37e2fcc019f2b2f8c1e2fb5cc0bdadf34a41bcb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ferdinand=20M=C3=BCtsch?= <ferdinand@muetsch.io>
Date: Sun, 26 Feb 2023 10:12:47 +0100
Subject: [PATCH] chore: add systemd service unit example

---
 etc/mailwhale.service | 44 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 etc/mailwhale.service

diff --git a/etc/mailwhale.service b/etc/mailwhale.service
new file mode 100644
index 0000000..1c4d63f
--- /dev/null
+++ b/etc/mailwhale.service
@@ -0,0 +1,44 @@
+[Unit]
+Description=MailWhale
+StartLimitIntervalSec=400
+StartLimitBurst=3
+
+[Service]
+Type=simple
+
+# Assuming MailWhale executable is under /opt/mailwhale and config file at /etc
+# Feel free to change this
+WorkingDirectory=/opt/mailwhale
+ExecStart=/opt/mailwhale/mailwhale -config /etc/mailwhale.yml
+
+# Optionally override some config options using additional environment variables, see README for more
+Environment=MW_ENV=prod
+
+# sudo groupadd mailwhale
+# sudo useradd -g mailwhale mailwhale
+User=mailwhale
+Group=mailwhale
+RuntimeDirectory=mailwhale  # creates /run/mailwhale
+
+Restart=on-failure
+RestartSec=90
+
+# Security hardening (all optional)
+PrivateTmp=true
+PrivateUsers=true
+NoNewPrivileges=true
+ProtectSystem=full
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+PrivateDevices=true
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+ProtectClock=true
+RestrictSUIDSGID=true
+ProtectHostname=true
+ProtectProc=invisible
+
+[Install]
+WantedBy=multi-user.target