From ae72e6f356daaca3858886ab50459f6700449e01 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=94=D0=BC=D0=B8=D1=82=D1=80=D0=B8=D0=B9=20=D0=9C=D0=B0?=
 =?UTF-8?q?=D1=80=D0=BA=D0=BE=D0=B2?= <13werwolf13@mail.ru>
Date: Thu, 12 Mar 2026 12:26:23 +0500
Subject: [PATCH] systemd contrib, add sysuser & tmpfiles configs, fix service

---
 contrib/systemd/system-user-telemt.conf |  3 +++
 contrib/systemd/telemt.service          | 29 +++++++++++++++++++++++++
 contrib/systemd/tmpfiles-telemt.conf    |  1 +
 telemt.service                          | 16 --------------
 4 files changed, 33 insertions(+), 16 deletions(-)
 create mode 100644 contrib/systemd/system-user-telemt.conf
 create mode 100644 contrib/systemd/telemt.service
 create mode 100644 contrib/systemd/tmpfiles-telemt.conf
 delete mode 100644 telemt.service

diff --git a/contrib/systemd/system-user-telemt.conf b/contrib/systemd/system-user-telemt.conf
new file mode 100644
index 0000000..918956c
--- /dev/null
+++ b/contrib/systemd/system-user-telemt.conf
@@ -0,0 +1,3 @@
+u telemt - "telemt user" /var/lib/telemt -
+g telemt - -
+m telemt telemt
diff --git a/contrib/systemd/telemt.service b/contrib/systemd/telemt.service
new file mode 100644
index 0000000..8e08efc
--- /dev/null
+++ b/contrib/systemd/telemt.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=Telemt
+Wants=network-online.target
+After=multi-user.target network.target network-online.target
+
+[Service]
+Type=simple
+User=telemt
+Group=telemt
+WorkingDirectory=/var/lib/telemt
+ExecStart=/bin/telemt /etc/telemt/telemt.toml
+Restart=on-failure
+RestartSec=10
+LimitNOFILE=65536
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+ProtectSystem=strict
+ProtectHome=read-only
+SystemCallFilter=~@mount
+ReadWritePaths=/var/lib/telemt
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/systemd/tmpfiles-telemt.conf b/contrib/systemd/tmpfiles-telemt.conf
new file mode 100644
index 0000000..7c6628b
--- /dev/null
+++ b/contrib/systemd/tmpfiles-telemt.conf
@@ -0,0 +1 @@
+d /var/lib/telemt 700 telemt telemt
diff --git a/telemt.service b/telemt.service
deleted file mode 100644
index f163057..0000000
--- a/telemt.service
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=Telemt
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-Type=simple
-WorkingDirectory=/etc/telemt
-ExecStart=/bin/telemt /etc/telemt.toml
-Restart=on-failure
-LimitNOFILE=262144
-TasksMax=8192
-MemoryAccounting=yes
-
-[Install]
-WantedBy=multi-user.target