gotermix-limitted.service

[Unit]
Description=GoTermix — web terminal
Documentation=https://ghb.freebede.com/nahakubuilder/gotermix
After=network.target
Wants=network.target

[Service]
Type=simple

# Run as a dedicated unprivileged user.
# Create it first:
#   useradd --system --no-create-home --shell /sbin/nologin gotermix
User=gotermix
Group=gotermix

# Working directory — binary, gws-creds.json and gotermix.log live here.
WorkingDirectory=/opt/gotermix

# Absolute path to the binary.
ExecStart=/opt/gotermix/gotermix -addr 0.0.0.0:5000

# Restart policy
Restart=on-failure
RestartSec=5s

# ── Hardening ────────────────────────────────────────────────────────
# No new privileges beyond what the service user already has.
NoNewPrivileges=true

# Private /tmp — isolates temp files from other services.
PrivateTmp=true

# Read-only access to the real /usr, /boot, /etc.
ProtectSystem=strict

# Allow the service to write its own data directory.
ReadWritePaths=/opt/gotermix

# Hide /home and /root from the process.
ProtectHome=true

# Prevent loading kernel modules.
ProtectKernelModules=true

# Prevent writing to kernel tunables.
ProtectKernelTunables=true

# Prevent altering control groups.
ProtectControlGroups=true

# Allow only necessary syscall groups.
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

# Restrict address families to IPv4/IPv6 (needed for HTTP listener + WebSocket).
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# Deny ptrace and other debugging interfaces.
RestrictRealtime=true
LockPersonality=true
MemoryDenyWriteExecute=false
# Note: MemoryDenyWriteExecute left off — Go runtime needs JIT-style writes.

[Install]
WantedBy=multi-user.target
added mfa 2026-05-24 08:37:27 +00:00			`[Unit]`
			`Description=GoTermix — web terminal`
			`Documentation=https://ghb.freebede.com/nahakubuilder/gotermix`
			`After=network.target`
			`Wants=network.target`

			`[Service]`
			`Type=simple`

			`# Run as a dedicated unprivileged user.`
			`# Create it first:`
			`# useradd --system --no-create-home --shell /sbin/nologin gotermix`
			`User=gotermix`
			`Group=gotermix`

			`# Working directory — binary, gws-creds.json and gotermix.log live here.`
			`WorkingDirectory=/opt/gotermix`

			`# Absolute path to the binary.`
			`ExecStart=/opt/gotermix/gotermix -addr 0.0.0.0:5000`

			`# Restart policy`
			`Restart=on-failure`
			`RestartSec=5s`

			`# ── Hardening ────────────────────────────────────────────────────────`
			`# No new privileges beyond what the service user already has.`
			`NoNewPrivileges=true`

			`# Private /tmp — isolates temp files from other services.`
			`PrivateTmp=true`

			`# Read-only access to the real /usr, /boot, /etc.`
			`ProtectSystem=strict`

			`# Allow the service to write its own data directory.`
			`ReadWritePaths=/opt/gotermix`

			`# Hide /home and /root from the process.`
			`ProtectHome=true`

			`# Prevent loading kernel modules.`
			`ProtectKernelModules=true`

			`# Prevent writing to kernel tunables.`
			`ProtectKernelTunables=true`

			`# Prevent altering control groups.`
			`ProtectControlGroups=true`

			`# Allow only necessary syscall groups.`
			`SystemCallFilter=@system-service`
			`SystemCallErrorNumber=EPERM`

			`# Restrict address families to IPv4/IPv6 (needed for HTTP listener + WebSocket).`
			`RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX`

			`# Deny ptrace and other debugging interfaces.`
			`RestrictRealtime=true`
			`LockPersonality=true`
			`MemoryDenyWriteExecute=false`
			`# Note: MemoryDenyWriteExecute left off — Go runtime needs JIT-style writes.`

			`[Install]`
			`WantedBy=multi-user.target`