59 lines
1.2 KiB
Desktop File
59 lines
1.2 KiB
Desktop File
[Unit]
|
|
Description=StellaOps Zastava Agent - Container Runtime Monitor
|
|
Documentation=https://docs.stellaops.org/zastava/agent/
|
|
After=network-online.target docker.service containerd.service
|
|
Wants=network-online.target
|
|
Requires=docker.service
|
|
|
|
[Service]
|
|
Type=notify
|
|
ExecStart=/opt/stellaops/zastava-agent/StellaOps.Zastava.Agent
|
|
WorkingDirectory=/opt/stellaops/zastava-agent
|
|
Restart=always
|
|
RestartSec=5
|
|
|
|
# Environment configuration
|
|
EnvironmentFile=-/etc/stellaops/zastava-agent.env
|
|
Environment=DOTNET_ENVIRONMENT=Production
|
|
Environment=ASPNETCORE_ENVIRONMENT=Production
|
|
|
|
# User and permissions
|
|
User=zastava-agent
|
|
Group=docker
|
|
|
|
# Security hardening
|
|
NoNewPrivileges=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
|
|
# Allow read access to Docker socket
|
|
ReadWritePaths=/var/run/docker.sock
|
|
ReadWritePaths=/var/lib/zastava-agent
|
|
|
|
# Capabilities
|
|
CapabilityBoundingSet=
|
|
AmbientCapabilities=
|
|
|
|
# Resource limits
|
|
LimitNOFILE=65536
|
|
LimitNPROC=4096
|
|
MemoryMax=512M
|
|
|
|
# Logging
|
|
StandardOutput=journal
|
|
StandardError=journal
|
|
SyslogIdentifier=zastava-agent
|
|
|
|
# Watchdog (5 minute timeout)
|
|
WatchdogSec=300
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|