GamePlayer-8 · June 1, 2025 14:59
diff --git a/[email protected] b/[email protected]
 [Unit]
 Description=Podman API Service per user
 Documentation=man:podman-generate-systemd(1)
 Wants=network-online.target
 After=network-online.target user@%i.service user-%i.slice
 Requires=user@%i.service
 RequiresMountsFor=%t/containers

 [Service]
 EnvironmentFile=-/etc/default/podman.%i
 Restart=on-failure
 TimeoutStartSec=900
 TimeoutStopSec=70
 ExecStart=su %i sh -c '/usr/bin/podman system service ${podman_opts:=--time 0} ${podman_uri:=unix:///home/%i/.podman.sock}'
 ExecStartPost=su %i sh -c '/usr/bin/podman start --all --filter restart-policy=always'
 Type=simple

 # Minimal security settings that work with Podman:
 NoNewPrivileges=yes
 ProtectSystem=strict
 ProtectKernelTunables=yes
 ProtectControlGroups=yes
 RestrictRealtime=yes
 MemoryDenyWriteExecute=yes
 UMask=0077

 # Critical Podman requirements:
 ProtectKernelModules=yes
 SystemCallFilter=~@cpu-emulation @module @obsolete @raw-io @reboot @swap

 [Install]
 WantedBy=multi-user.target
	[Unit]
	Description=Podman API Service per user
	Documentation=man:podman-generate-systemd(1)
	Wants=network-online.target
	After=network-online.target user@%i.service user-%i.slice
	Requires=user@%i.service
	RequiresMountsFor=%t/containers

	[Service]
	EnvironmentFile=-/etc/default/podman.%i
	Restart=on-failure
	TimeoutStartSec=900
	TimeoutStopSec=70
	ExecStart=su %i sh -c '/usr/bin/podman system service ${podman_opts:=--time 0} ${podman_uri:=unix:///home/%i/.podman.sock}'
	ExecStartPost=su %i sh -c '/usr/bin/podman start --all --filter restart-policy=always'
	Type=simple

	# Minimal security settings that work with Podman:
	NoNewPrivileges=yes
	ProtectSystem=strict
	ProtectKernelTunables=yes
	ProtectControlGroups=yes
	RestrictRealtime=yes
	MemoryDenyWriteExecute=yes
	UMask=0077

	# Critical Podman requirements:
	ProtectKernelModules=yes
	SystemCallFilter=~@cpu-emulation @module @obsolete @raw-io @reboot @swap

	[Install]
	WantedBy=multi-user.target