1 files changed, 56 insertions, 0 deletions

diff --git a/debian/netdata-core.netdata.service b/debian/netdata-core.netdata.service
new file mode 100644
index 00000000..fb62d077
--- /dev/null
+++ b/debian/netdata-core.netdata.service
@@ -0,0 +1,56 @@
+# netdata systemd target
+
+[Unit]
+Description=netdata - Real-time performance monitoring
+Documentation=man:netdata
+Documentation=file:///usr/share/doc/netdata/html/index.html
+Documentation=https://github.com/netdata/netdata
+After=network-online.target httpd.service squid.service nfs-server.service mysqld.service named.service postfix.service
+ConditionPathExists=/etc/netdata/netdata.conf
+
+[Service]
+Type=simple
+Environment="netdata_LOG_LOCATION=/var/log/netdata/log"
+ExecStart=/usr/sbin/netdata -D
+TimeoutStopSec=10
+KillMode=mixed
+KillSignal=SIGTERM
+OOMScoreAdjust=-900
+
+User=netdata
+Group=netdata
+Restart=on-abnormal
+RestartSec=2s
+LimitNOFILE=65536
+
+WorkingDirectory=/tmp
+
+# Hardening
+
+NoNewPrivileges=false
+PermissionsStartOnly=true
+# CAP_SETGID is required for setgroups()
+# CAP_NET_RAW is needed by fping, see #864370
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SETGID CAP_SETUID CAP_NET_RAW CAP_AUDIT_WRITE
+PrivateTmp=true
+ProtectHome=read-only
+ProtectSystem=full
+
+ReadOnlyDirectories=/
+ReadWriteDirectories=/dev
+ReadWriteDirectories=/proc/self
+ReadWriteDirectories=/var/cache/netdata
+ReadWriteDirectories=/var/lib/netdata
+ReadWriteDirectories=/var/log
+ReadWriteDirectories=/var/spool
+ReadWriteDirectories=/run
+
+RuntimeDirectory=netdata
+
+# Access to devices and kernel modules and tunables is required
+PrivateDevices=no
+ProtectKernelModules=no
+ProtectKernelTunables=no
+
+[Install]
+WantedBy=multi-user.target