joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dd62e935174f53553a1ffb1d9c357e45e3a053c6
rick-infra/roles/valkey/templates/valkey.service.j2

78 lines
1.6 KiB
Django/Jinja
Raw Blame History

# Valkey Systemd Service
# Generated by rick-infra Valkey role
#
# This service provides a secure, hardened Valkey instance with proper configuration loading
[Unit]
Description=Valkey (Redis-compatible) Key-Value Store
Documentation=https://valkey.io/
After=network.target
Wants=network-online.target
[Service]
Type=notify
User=valkey
Group=valkey
# Core service configuration - ensures config file is loaded
ExecStart=/usr/bin/valkey-server /etc/valkey/valkey.conf --supervised systemd
ExecReload=/bin/kill -USR2 $MAINPID
# Restart configuration
Restart=on-failure
RestartSec=5s
TimeoutStartSec=60
TimeoutStopSec=60
# Runtime directory
RuntimeDirectory=valkey
RuntimeDirectoryMode=755
# Resource limits
LimitNOFILE=10032
# Security hardening
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
# Network security
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
# Filesystem permissions
ReadWritePaths=/var/lib/valkey
ReadOnlyPaths=/etc/valkey
# System call filtering
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @obsolete
# Memory and resource limits
MemoryDenyWriteExecute=yes
LockPersonality=yes
# Capabilities (remove all unnecessary capabilities)
CapabilityBoundingSet=
AmbientCapabilities=
# Process isolation
PrivateUsers=yes
RemoveIPC=yes
# Additional security
UMask=0027
# Ensure service stops cleanly
KillMode=mixed
KillSignal=SIGTERM
[Install]
WantedBy=multi-user.target
Alias=redis.service
Reference in New Issue View Git Blame Copy Permalink