system/netdata.service.in

   1 [Unit]
   2 Description=Linux real time system monitoring, done right
   3 After=network.target httpd.service squid.service nfs-server.service mysqld.service named.service postfix.service
   4
   5 [Service]
   6 Type=forking
   7 WorkingDirectory=/tmp
   8 User=netdata
   9 Group=netdata
  10 RuntimeDirectory=netdata
  11 PIDFile=@localstatedir_POST@/run/netdata/netdata.pid
  12 ExecStart=@sbindir_POST@/netdata -P @localstatedir_POST@/run/netdata/netdata.pid
  13 KillMode=mixed
  14 KillSignal=SIGTERM
  15 TimeoutStopSec=30
  16
  17 #Hardening
  18 AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
  19 CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE
  20 PrivateTmp=true
  21 ProtectSystem=full
  22 ProtectHome=read-only
  23 #NoNewPrivileges=true is implicitly set by the MemoryDenyWriteExecute=true
  24 MemoryDenyWriteExecute=true
  25
  26 [Install]
  27 WantedBy=multi-user.target