etc/systemd

etc/systemd/system/multi-user.target.wants/apache2.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=The Apache HTTP Server
+After=network.target remote-fs.target nss-lookup.target
+Documentation=https://httpd.apache.org/docs/2.4/
+
+[Service]
+Type=forking
+Environment=APACHE_STARTED_BY_SYSTEMD=true
+ExecStart=/usr/sbin/apachectl start
+ExecStop=/usr/sbin/apachectl graceful-stop
+ExecReload=/usr/sbin/apachectl graceful
+KillMode=mixed
+PrivateTmp=true
+Restart=on-abort
+OOMPolicy=continue
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/multi-user.target.wants/caddy.service

@@ -0,0 +1,36 @@
+# caddy.service
+#
+# For using Caddy with a config file.
+#
+# Make sure the ExecStart and ExecReload commands are correct
+# for your installation.
+#
+# See https://caddyserver.com/docs/install for instructions.
+#
+# WARNING: This service does not use the --resume flag, so if you
+# use the API to make changes, they will be overwritten by the
+# Caddyfile next time the service is restarted. If you intend to
+# use Caddy's API to configure it, add the --resume flag to the
+# `caddy run` command or use the caddy-api.service file instead.
+
+[Unit]
+Description=Caddy
+Documentation=https://caddyserver.com/docs/
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=notify
+User=caddy
+Group=caddy
+ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
+ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=512
+PrivateTmp=true
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/multi-user.target.wants/console-setup.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Set console font and keymap
+DefaultDependencies=no
+After=console-screen.service kbd.service local-fs.target
+Before=display-manager.service
+RequiresMountsFor=/usr
+ConditionPathExists=/bin/setupcon
+
+[Service]
+Type=oneshot
+ExecStart=/lib/console-setup/console-setup.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/multi-user.target.wants/cron.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Regular background program processing daemon
+Documentation=man:cron(8)
+After=remote-fs.target nss-user-lookup.target
+
+[Service]
+EnvironmentFile=-/etc/default/cron
+ExecStart=/usr/sbin/cron -f $EXTRA_OPTS
+IgnoreSIGPIPE=false
+KillMode=process
+Restart=on-failure
+SyslogFacility=cron
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/multi-user.target.wants/e2scrub_reap.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Remove Stale Online ext4 Metadata Check Snapshots
+ConditionCapability=CAP_SYS_ADMIN
+ConditionCapability=CAP_SYS_RAWIO
+Documentation=man:e2scrub_all(8)
+
+[Service]
+Type=oneshot
+WorkingDirectory=/
+PrivateNetwork=true
+ProtectSystem=true
+ProtectHome=read-only
+PrivateTmp=yes
+AmbientCapabilities=CAP_SYS_ADMIN CAP_SYS_RAWIO
+NoNewPrivileges=yes
+User=root
+IOSchedulingClass=idle
+CPUSchedulingPolicy=idle
+Environment=SERVICE_MODE=1
+ExecStart=/sbin/e2scrub_all -A -r
+SyslogIdentifier=%N
+RemainAfterExit=no
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/multi-user.target.wants/grub-common.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Record successful boot for GRUB
+After=suspend.target hibernate.target hybrid-sleep.target suspend-then-hibernate.target
+ConditionPathExists=/boot/grub/grub.cfg
+
+[Service]
+Type=oneshot
+Restart=no
+ExecStartPre=/bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub'
+ExecStart=grub-editenv /boot/grub/grubenv unset recordfail
+ExecStartPost=/bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi'
+StandardOutput=kmsg
+
+[Install]
+WantedBy=multi-user.target suspend.target hibernate.target hybrid-sleep.target suspend-then-hibernate.target

etc/systemd/system/multi-user.target.wants/mariadb.service

@@ -0,0 +1,179 @@
+# It's not recommended to modify this file in-place, because it will be
+# overwritten during package upgrades.  If you want to customize, the
+# best way is to create a file "/etc/systemd/system/mariadb.service",
+# containing
+#	.include /usr/lib/systemd/system/mariadb.service
+#	...make your changes here...
+# or create a file "/etc/systemd/system/mariadb.service.d/foo.conf",
+# which doesn't need to include ".include" call and which will be parsed
+# after the file mariadb.service itself is parsed.
+#
+# For more info about custom unit files, see systemd.unit(5) or
+# https://mariadb.com/kb/en/mariadb/systemd/
+#
+# Copyright notice:
+#
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=MariaDB 11.8.3 database server
+Documentation=man:mariadbd(8)
+Documentation=https://mariadb.com/kb/en/library/systemd/
+After=network.target
+
+[Install]
+WantedBy=multi-user.target
+
+
+[Service]
+
+##############################################################################
+## Core requirements
+##
+
+Type=notify
+
+# Setting this to true can break replication and the Type=notify settings
+# See also bind-address mariadbd option.
+PrivateNetwork=false
+
+##############################################################################
+## Package maintainers
+##
+
+User=mysql
+Group=mysql
+
+# CAP_IPC_LOCK To allow memlock to be used as non-root user
+# These are enabled by default
+AmbientCapabilities=CAP_IPC_LOCK
+
+# PrivateDevices=true implies NoNewPrivileges=true and
+# SUID auth_pam_tool suddenly doesn't do setuid anymore
+PrivateDevices=false
+
+# Prevent writes to /usr, /boot, and /etc
+ProtectSystem=full
+
+
+
+# Doesn't yet work properly with SELinux enabled
+# NoNewPrivileges=true
+
+# Prevent accessing /home, /root and /run/user
+ProtectHome=true
+
+# Use an environment file to pass variable _WSREP_NEW_CLUSTER
+EnvironmentFile=-/run/mysqld/wsrep-new-cluster
+
+# Use an environment file to pass variable _WSREP_START_POSITION
+EnvironmentFile=-/run/mysqld/wsrep-start-position
+
+ExecStartPre=+/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld
+
+# Perform automatic wsrep recovery. When server is started without wsrep,
+# galera_recovery simply returns an empty string. In any case, however,
+# the script is not expected to return with a non-zero status.
+# It is always safe to remove /run/mysqld/wsrep-start-position
+# environment file.
+# Do not panic if galera_recovery script is not available. (MDEV-10538)
+ExecStartPre=/bin/sh -c "[ ! -e /usr/bin/galera_recovery ] && VAR= || \
+ VAR=`/usr/bin/galera_recovery`; [ $? -eq 0 ] \
+ && echo _WSREP_START_POSITION=$VAR > /run/mysqld/wsrep-start-position || exit 1"
+
+# Needed to create system tables etc.
+# ExecStartPre=/usr/bin/mariadb-install-db -u mysql
+
+# Start main service
+# MYSQLD_OPTS here is for users to set in /etc/systemd/system/mariadb.service.d/MY_SPECIAL.conf
+# Use the [Service] section and Environment="MYSQLD_OPTS=...".
+# This isn't a replacement for my.cnf.
+# _WSREP_NEW_CLUSTER is for the exclusive use of the script galera_new_cluster
+ExecStart=/usr/sbin/mariadbd $MYSQLD_OPTS $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION
+
+# Unset _WSREP_START_POSITION environment variable.
+ExecStartPost=/bin/rm -f /run/mysqld/wsrep-start-position
+
+ExecStartPost=+/etc/mysql/debian-start
+
+KillSignal=SIGTERM
+
+# Don't want to see an automated SIGKILL ever
+SendSIGKILL=no
+
+# Restart crashed server only, on-failure would also restart, for example, when
+# my.cnf contains unknown option
+Restart=on-abnormal
+RestartSec=5s
+
+UMask=007
+
+##############################################################################
+## USERs can override
+##
+##
+## by creating a file in /etc/systemd/system/mariadb.service.d/MY_SPECIAL.conf
+## and adding/setting the following under [Service] will override this file's
+## settings.
+
+# Useful options not previously available in [mysqld_safe]
+
+# Kernels like killing mariadbd when out of memory because its big.
+# Lets temper that preference a little.
+# OOMScoreAdjust=-600
+
+# Explicitly start with high IO priority
+# BlockIOWeight=1000
+
+# If you don't use the /tmp directory for SELECT ... OUTFILE and
+# LOAD DATA INFILE you can enable PrivateTmp=true for a little more security.
+PrivateTmp=false
+
+# Set an explicit Start and Stop timeout of 900 seconds (15 minutes!)
+# this is the same value as used in SysV init scripts in the past
+# Galera might need a longer timeout, check the KB if you want to change this:
+# https://mariadb.com/kb/en/library/systemd/#configuring-the-systemd-service-timeout
+TimeoutStartSec=900
+TimeoutStopSec=900
+
+# Set the maximium number of tasks (threads) to 99% of what the system can
+# handle as set by the kernel, reserve the 1% for a remote ssh connection,
+# some monitoring, or that backup cron job. Without the directive this would
+# be 15% (see DefaultTasksMax in systemd man pages).
+TasksMax=99%
+
+##
+## Options previously available to be set via [mysqld_safe]
+## that now needs to be set by systemd config files as mysqld_safe
+## isn't executed.
+##
+
+# Number of files limit. previously [mysqld_safe] open-files-limit
+LimitNOFILE=32768
+# For liburing and io_uring_setup()
+LimitMEMLOCK=524288
+# Maximium core size. previously [mysqld_safe] core-file-size
+# LimitCore=
+
+# Nice priority. previously [mysqld_safe] nice
+# Nice=-5
+
+# Timezone. previously [mysqld_safe] timezone
+# Environment="TZ=UTC"
+
+# Library substitutions. previously [mysqld_safe] malloc-lib with explicit paths
+# (in LD_LIBRARY_PATH) and library name (in LD_PRELOAD).
+# Environment="LD_LIBRARY_PATH=/path1 /path2" "LD_PRELOAD=
+
+# Flush caches. previously [mysqld_safe] flush-caches=1
+# ExecStartPre=sync
+# ExecStartPre=sysctl -q -w vm.drop_caches=3
+
+# numa-interleave=1 equalivant
+# Change ExecStart=numactl --interleave=all /usr/sbin/mariadbd......
+
+# crash-script equalivent
+# FailureAction=

etc/systemd/system/multi-user.target.wants/memcached.service

@@ -0,0 +1,84 @@
+# It's not recommended to modify this file in-place, because it will be
+# overwritten during upgrades.  If you want to customize, the best
+# way is to use the "systemctl edit" command to create an override unit.
+#
+# For example, to pass additional options, create an override unit
+# (as is done by systemctl edit) and enter the following:
+#
+#     [Service]
+#     Environment=OPTIONS="-l 127.0.0.1,::1"
+
+
+[Unit]
+Description=memcached daemon
+After=network.target
+Documentation=man:memcached(1)
+
+[Service]
+ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper /etc/memcached.conf
+
+# Set up a new file system namespace and mounts private /tmp and /var/tmp
+# directories so this service cannot access the global directories and
+# other processes cannot access this service's directories.
+PrivateTmp=true
+
+# Mounts the /usr, /boot, and /etc directories read-only for processes
+# invoked by this unit.
+ProtectSystem=full
+
+# Ensures that the service process and all its children can never gain new
+# privileges
+NoNewPrivileges=true
+
+# Sets up a new /dev namespace for the executed processes and only adds API
+# pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
+# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda.
+PrivateDevices=true
+
+# Required for dropping privileges and running as a different user
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+
+# Restricts the set of socket address families accessible to the processes
+# of this unit. Protects against vulnerabilities such as CVE-2016-8655
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# Attempts to create memory mappings that are writable and executable at
+# the same time, or to change existing memory mappings to become executable
+# are prohibited.
+MemoryDenyWriteExecute=true
+
+# Explicit module loading will be denied. This allows to turn off module
+# load and unload operations on modular kernels. It is recommended to turn
+# this on for most services that do not need special file systems or extra
+# kernel modules to work.
+ProtectKernelModules=true
+
+# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
+# /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq
+# will be made read-only to all processes of the unit. Usually, tunable
+# kernel variables should only be written at boot-time, with the sysctl.d(5)
+# mechanism. Almost no services need to write to these at runtime; it is hence
+# recommended to turn this on for most services.
+ProtectKernelTunables=true
+
+# The Linux Control Groups (cgroups(7)) hierarchies accessible through
+# /sys/fs/cgroup will be made read-only to all processes of the unit.
+# Except for container managers no services should require write access
+# to the control groups hierarchies; it is hence recommended to turn this
+# on for most services
+ProtectControlGroups=true
+
+# Any attempts to enable realtime scheduling in a process of the unit are
+# refused.
+RestrictRealtime=true
+
+# Takes away the ability to create or manage any kind of namespace
+RestrictNamespaces=true
+
+PIDFile=/run/memcached/memcached.pid
+
+# try to restart if errors encountered
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/multi-user.target.wants/msmtpd.service

@@ -0,0 +1,28 @@
+[Unit]
+Description=msmtp daemon
+Documentation=man:msmtpd(1)
+
+[Service]
+DynamicUser=true
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+# NoNewPrivileges prevents the setgid mechanism from working
+# so since msmtp is setgid in order to read /etc/msmtprc, the
+# msmtp group need to be added in a different way
+SupplementaryGroups=msmtp
+
+Environment=INTERFACE=127.0.0.1 PORT=25
+EnvironmentFile=-/etc/default/msmtpd
+
+Type=simple
+ExecStart=/usr/bin/msmtpd --interface=${INTERFACE} --port=${PORT}
+
+Restart=always
+RestartSec=60
+
+ProtectHome=true
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/multi-user.target.wants/networking.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Raise network interfaces
+Documentation=man:interfaces(5)
+DefaultDependencies=no
+Wants=network.target ifupdown-pre.service
+After=local-fs.target network-pre.target apparmor.service systemd-sysctl.service systemd-modules-load.service ifupdown-pre.service
+Before=network.target shutdown.target network-online.target
+Conflicts=shutdown.target
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=network-online.target
+
+[Service]
+Type=oneshot
+EnvironmentFile=-/etc/default/networking
+ExecStart=/usr/sbin/ifup -a --read-environment
+ExecStart=-/bin/sh -c 'if [ -f /run/network/restart-hotplug ]; then /usr/sbin/ifup -a --read-environment --allow=hotplug; fi'
+ExecStop=/usr/sbin/ifdown -a --read-environment --exclude=lo
+ExecStopPost=/usr/bin/touch /run/network/restart-hotplug
+RemainAfterExit=true
+TimeoutStartSec=5min

etc/systemd/system/multi-user.target.wants/php8.4-fpm.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=The PHP 8.4 FastCGI Process Manager
+Documentation=man:php-fpm8.4(8)
+After=network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/sbin/php-fpm8.4 --nodaemonize --fpm-config /etc/php/8.4/fpm/php-fpm.conf
+ExecStartPost=-/usr/lib/php/php-fpm-socket-helper install /run/php/php-fpm.sock /etc/php/8.4/fpm/pool.d/www.conf 84
+ExecStopPost=-/usr/lib/php/php-fpm-socket-helper remove /run/php/php-fpm.sock /etc/php/8.4/fpm/pool.d/www.conf 84
+ExecReload=/bin/kill -USR2 $MAINPID
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/multi-user.target.wants/prometheus-mysqld-exporter.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Prometheus exporter for MySQL server
+Documentation=man:prometheus-mysqld-exporter(1)
+
+[Service]
+Restart=on-failure
+User=prometheus
+EnvironmentFile=/etc/default/prometheus-mysqld-exporter
+ExecStart=/usr/bin/prometheus-mysqld-exporter $ARGS
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/multi-user.target.wants/prometheus-node-exporter.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Prometheus exporter for machine metrics
+Documentation=https://github.com/prometheus/node_exporter
+
+[Service]
+Restart=on-failure
+User=prometheus
+EnvironmentFile=/etc/default/prometheus-node-exporter
+ExecStart=/usr/bin/prometheus-node-exporter $ARGS
+ExecReload=/bin/kill -HUP $MAINPID
+TimeoutStopSec=20s
+SendSIGKILL=no
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/multi-user.target.wants/reaction@reaction.jsonnet.service

@@ -0,0 +1,20 @@
+# vim: ft=systemd
+[Unit]
+Description=A daemon that scans program outputs for repeated patterns, and takes action.
+Documentation=https://reaction.ppom.me
+# Ensure reaction will insert its chain after docker has inserted theirs. Only useful when iptables & docker are used
+# After=docker.service
+
+# See `man systemd.exec` and `man systemd.service` for most options below
+[Service]
+ExecStart=/usr/bin/reaction start -c /etc/%i
+
+# Ask systemd to create /var/lib/reaction (/var/lib/ is implicit)
+StateDirectory=reaction
+# Ask systemd to create /run/reaction at runtime (/run/ is implicit)
+RuntimeDirectory=reaction
+# Start reaction in its state directory
+WorkingDirectory=/var/lib/reaction
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/multi-user.target.wants/remote-fs.target

@@ -0,0 +1,18 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Remote File Systems
+Documentation=man:systemd.special(7)
+After=remote-fs-pre.target
+DefaultDependencies=no
+Conflicts=shutdown.target
+
+[Install]
+WantedBy=multi-user.target

etc/systemd/system/multi-user.target.wants/ssh.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=OpenBSD Secure Shell server
+Documentation=man:sshd(8) man:sshd_config(5)
+After=network.target nss-user-lookup.target auditd.service
+ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+
+[Service]
+EnvironmentFile=-/etc/default/ssh
+ExecStartPre=/usr/sbin/sshd -t
+ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
+ExecReload=/usr/sbin/sshd -t
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+Type=notify
+RuntimeDirectory=sshd
+RuntimeDirectoryMode=0755
+
+[Install]
+WantedBy=multi-user.target
+Alias=sshd.service