aboutsummaryrefslogtreecommitdiffstats
path: root/.config/systemd/user/logrotate.service
diff options
context:
space:
mode:
authorDavid Runge <dave@sleepmap.de>2020-09-12 18:18:00 +0200
committerDavid Runge <dave@sleepmap.de>2020-09-12 18:18:00 +0200
commit549bf806e1e4b12a14a463db87438608f7025eb9 (patch)
tree3adc825bebe46c683e550badd73800341e626a80 /.config/systemd/user/logrotate.service
parent0d104b87b8afdbf81dd5372f9ae36b9b4076a920 (diff)
downloaddotfiles-549bf806e1e4b12a14a463db87438608f7025eb9.tar.gz
dotfiles-549bf806e1e4b12a14a463db87438608f7025eb9.tar.bz2
dotfiles-549bf806e1e4b12a14a463db87438608f7025eb9.tar.xz
dotfiles-549bf806e1e4b12a14a463db87438608f7025eb9.zip
Add basic logrotate integration
.config/logrotate.conf: Add configuration to rotate sway and a2jmidid logs. .config/systemd/user/logrotate.{service,timer}: Add service and timer based on the system versions provided by logrotate.
Diffstat (limited to '.config/systemd/user/logrotate.service')
-rw-r--r--.config/systemd/user/logrotate.service28
1 files changed, 28 insertions, 0 deletions
diff --git a/.config/systemd/user/logrotate.service b/.config/systemd/user/logrotate.service
new file mode 100644
index 0000000..f517394
--- /dev/null
+++ b/.config/systemd/user/logrotate.service
@@ -0,0 +1,28 @@
+[Unit]
+Description=Rotate log files
+Documentation=man:logrotate(8) man:logrotate.conf(5)
+ConditionACPower=true
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/logrotate %h/.config/logrotate.conf -s %S/logrotate.status -v
+Nice=19
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+
+# hardening options
+# details: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+# no ProtectHome for userdir logs
+# no PrivateNetwork for mail deliviery
+# no NoNewPrivileges for third party rotate scripts
+# LockPersonality=true
+# MemoryDenyWriteExecute=true
+# PrivateDevices=true
+# PrivateTmp=true
+# ProtectControlGroups=true
+# ProtectKernelLogs=true
+# ProtectKernelModules=true
+# ProtectKernelTunables=true
+# ProtectSystem=full
+# RestrictNamespaces=true
+# RestrictRealtime=true