rick-infra/roles/valkey/templates/valkey.service.j2

# Valkey Systemd Service
# Generated by rick-infra Valkey role
#
# This service provides a secure, hardened Valkey instance with proper configuration loading

[Unit]
Description=Valkey (Redis-compatible) Key-Value Store
Documentation=https://valkey.io/
After=network.target
Wants=network-online.target
{% if valkey_unix_socket_enabled and valkey_client_group_create %}
Wants=valkey-socket-fix.service
{% endif %}

[Service]
Type=notify
User=valkey
Group=valkey

# Core service configuration - ensures config file is loaded
ExecStart=/usr/bin/valkey-server /etc/valkey/valkey.conf --supervised systemd
ExecReload=/bin/kill -USR2 $MAINPID

# Restart configuration
Restart=on-failure
RestartSec=5s
TimeoutStartSec=60
TimeoutStopSec=60

# Runtime directory
RuntimeDirectory=valkey
RuntimeDirectoryMode=755

# Resource limits
LimitNOFILE=10032

# Security hardening
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes

# Network security
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# Filesystem permissions
ReadWritePaths=/var/lib/valkey
ReadOnlyPaths=/etc/valkey

# System call filtering
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @obsolete

# Memory and resource limits
MemoryDenyWriteExecute=yes
LockPersonality=yes

# Capabilities (remove all unnecessary capabilities)
CapabilityBoundingSet=
AmbientCapabilities=

# Process isolation
PrivateUsers=yes
RemoveIPC=yes

# Additional security
UMask=0027

# Ensure service stops cleanly
KillMode=mixed
KillSignal=SIGTERM

[Install]
WantedBy=multi-user.target
Alias=redis.service