From e00c7a7eddc39a3f19c70d4cbed3bf2116cea368 Mon Sep 17 00:00:00 2001
From: Konstantin Shalygin <k0ste@k0ste.ru>
Date: Sun, 13 Oct 2024 21:00:54 +0300
Subject: [PATCH] fix(contrib): revamped systemd service example (#2655)

---
 contrib/oauth2-proxy.service.example | 39 ++++++++++++++++++----------
 1 file changed, 25 insertions(+), 14 deletions(-)

diff --git a/contrib/oauth2-proxy.service.example b/contrib/oauth2-proxy.service.example
index 081e7767..ec25906c 100644
--- a/contrib/oauth2-proxy.service.example
+++ b/contrib/oauth2-proxy.service.example
@@ -1,22 +1,33 @@
-# Systemd service file for oauth2-proxy daemon
-#
-# Date: Feb 9, 2016
-# Author: Srdjan Grubor <sgnn7@sgnn7.org>
-
 [Unit]
 Description=oauth2-proxy daemon service
-After=network.target
+After=network.target network-online.target nss-lookup.target basic.target
+Wants=network-online.target nss-lookup.target
+StartLimitIntervalSec=30
+StartLimitBurst=3
 
 [Service]
-# www-data group and user need to be created before using these lines
-User=www-data
-Group=www-data
-
-ExecStart=/usr/local/bin/oauth2-proxy --config=/etc/oauth2-proxy.cfg
+User=oauth2-proxy
+Group=oauth2-proxy
+Restart=on-failure
+RestartSec=30
+WorkingDirectory=/etc/oauth2-proxy
+ExecStart=/usr/bin/oauth2-proxy --config=/etc/oauth2-proxy/oauth2-proxy.cfg
 ExecReload=/bin/kill -HUP $MAINPID
-
-KillMode=process
-Restart=always
+LimitNOFILE=65535
+NoNewPrivileges=true
+ProtectHome=true
+ProtectSystem=full
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+LockPersonality=true
+RestrictRealtime=yes
+RestrictNamespaces=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+PrivateTmp=true
+CapabilityBoundingSet=
 
 [Install]
 WantedBy=multi-user.target