iocaine/data/iocaine.service

# SPDX-FileCopyrightText: 2025 Gergely Nagy
# SPDX-FileContributor: Gergely Nagy
#
# SPDX-License-Identifier: MIT
[Unit]
After=network.target
Description=iocaine, the deadliest poison known to AI

[Service]
Type=simple
ExecStart=/usr/local/bin/iocaine --config-file /usr/local/etc/iocaine/config.toml

DevicePolicy=closed
DynamicUser=true
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHostname=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
Restart=on-failure
RestrictAddressFamilies=AF_INET
RestrictAddressFamilies=AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target
Major documentation update This adds plenty of documentation: describing what iocaine is, how it does what it does, and how to deploy it in various scenarios. Not complete yet, but reasonably detailed nevertheless. Signed-off-by: Gergely Nagy <me@gergo.csillger.hu> 2025-01-16 23:44:29 +01:00			`# SPDX-FileCopyrightText: 2025 Gergely Nagy`
			`# SPDX-FileContributor: Gergely Nagy`
			`#`
			`# SPDX-License-Identifier: MIT`
			`[Unit]`
			`After=network.target`
			`Description=iocaine, the deadliest poison known to AI`

			`[Service]`
			`Type=simple`
			`ExecStart=/usr/local/bin/iocaine --config-file /usr/local/etc/iocaine/config.toml`

			`DevicePolicy=closed`
			`DynamicUser=true`
			`LockPersonality=true`
			`MemoryDenyWriteExecute=true`
			`NoNewPrivileges=true`
			`PrivateDevices=true`
			`PrivateTmp=true`
			`ProtectClock=true`
			`ProtectControlGroups=true`
			`ProtectHostname=true`
			`ProtectKernelModules=true`
			`ProtectKernelTunables=true`
			`ProtectProc=invisible`
			`ProtectSystem=strict`
			`Restart=on-failure`
			`RestrictAddressFamilies=AF_INET`
			`RestrictAddressFamilies=AF_INET6`
			`RestrictNamespaces=true`
			`RestrictRealtime=true`
			`SystemCallArchitectures=native`

			`[Install]`
			`WantedBy=multi-user.target`