systemd

This is a relatively hardened systemd service file for festivald.

${USER} should be replaced by a user that has access to an audio server (like PulseAudio).

It should be placed at:

/etc/systemd/system/festivald.service

and launched with:

sudo systemctl start festivald

festivald.service

#===================#
# festivald.service #
#=======================================================#
# This is a systemd user service file for `festivald`.  #
# It is relatively hardened for public usage.           #
#                                                       #
# ${USER} should be replaced by a user that has         #
# access to an audio server (like PulseAudio).          #
#=======================================================#

[Unit]
Description=Festival Daemon
After=network-online.target
StartLimitIntervalSec=300
StartLimitBurst=5

[Service]
User=${USER} # <- Replace Me
Type=simple
ExecStart=/usr/bin/festivald

## Wait 35 seconds before sending SIGTERM on exit
KillSignal=SIGTERM
TimeoutStopSec=35s
SendSIGKILL=true

## Hardening
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_KILL CAP_SYS_PACCT CAP_SYS_BOOT CAP_SYS_CHROOT CAP_LEASE CAP_MKNOD CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_TIME CAP_IPC_LOCK CAP_LINUX_IMMUTABLE CAP_FOWNER CAP_IPC_OWNER CAP_SYS_RESOURCE
RestrictNamespaces=true
ProtectHostname=true
ProtectClock=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectKernelTunables=true
PrivateUsers=true
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict

[Install]
WantedBy=default.target