blob: b57d7ec001d70a1cc6606ba5a9f4ce0a10cbc56c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
# -*- mode: conf-unix; -*-
[Unit]
Description=GNU Shepherd Daemon
After=network.target
Wants=guix-daemon.service
[Service]
Type=forking
ExecStart=/usr/bin/bash -c "source $GUIX_PROFILE/etc/profile && shepherd"
ExecStop=herd stop root
ExecStopPost=rm %t/shepherd/socket -v
# disallow writing to /usr, /bin, /sbin, ...
# ProtectSystem=yes
Environment="GUIX_PROFILE=%h/.guix-profile"
Environment="GUIX_LOCPATH=%h/.guix-profile/lib/locale"
# # more paranoid security settings
# NoNewPrivileges=yes
# ProtectKernelTunables=yes
# ProtectControlGroups=yes
# # AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
# RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
# RestrictNamespaces=yes
[Install]
WantedBy=default.target
|