one thing i *really* like about systemd is the unit sandboxing capabilities and how ...

Why Nostr? What is Njump? Join Nostr

june ✿ (6a756e65)

npub1js…8ssgw

2026-05-06 01:37:47 UTC

one thing i *really* like about systemd is the unit sandboxing capabilities and how convenient it is

https://wiki.archlinux.org/title/Systemd/Sandboxing

heres an example from my tuwunel matrix systemd unit

```
[Unit]
Description=Tuwunel Matrix homeserver
#Requires=tuwunel.socket
Wants=network-online.target
After=network-online.target
Documentation=https://tuwunel.chat/

[Service]
User=tuwunel
Group=tuwunel
Type=notify
ReloadSignal=SIGUSR1
WatchdogSec=30

TTYPath=/dev/tty25
DeviceAllow=char-tty
StandardInput=tty-force
StandardOutput=tty
StandardError=journal+console
TTYReset=yes
# uncomment to allow buffer to be cleared every restart
TTYVTDisallocate=no

TTYColumns=120
TTYRows=40

Environment="TUWUNEL_CONFIG=/etc/tuwunel/tuwunel.toml"

ExecStart=/usr/sbin/tuwunel

ReadWritePaths=/var/lib/tuwunel /etc/tuwunel

AmbientCapabilities=
CapabilityBoundingSet=

ManagedOOMPreference=avoid

MemoryHigh=3G
MemoryMax=4G

DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
#ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
PrivateUsers=yes
PrivateIPC=yes
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service @resources
SystemCallFilter=~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc
SystemCallErrorNumber=EPERM
#StateDirectory=tuwunel

RuntimeDirectory=tuwunel
RuntimeDirectoryMode=0750

Restart=on-failure
RestartSec=5

TimeoutStopSec=2m
TimeoutStartSec=2m

StartLimitInterval=1m
StartLimitBurst=5

[Install]
WantedBy=multi-user.target
Alias=matrix-tuwunel.service
```

how can i replicate that kind of stuff with openrc?

Author Public Key

npub1jskpqy269nw53zrfpyncvjelel8f5pzdlmq8gzsyz6gqfzkyx84qk8ssgw

Seen on

wss://relay.momostr.pink

Show more details

Published at

2026-05-06 01:37:47 UTC

Kind type

1 Short Text Note

Event JSON

{ "id": "9e214ee9b8d162009b2e91754beb82703414a1fe6d4a33c0b3b83cd3b5582a0a", "pubkey": "942c10115a2cdd4888690927864b3fcfce9a044dfec0740a041690048ac431ea", "created_at": 1778031467, "kind": 1, "tags": [ [ "t", "requires" ], [ "t", "procsubset" ], [ "t", "statedirectory" ], [ "proxy", "https://ublog.kimapr.net/objects/9f4de3f4-509d-4b83-ba18-c6ee551a1a67", "activitypub" ], [ "L", "pink.momostr" ], [ "l", "pink.momostr.activitypub:https://ublog.kimapr.net/objects/9f4de3f4-509d-4b83-ba18-c6ee551a1a67", "pink.momostr" ], [ "-" ] ], "content": "one thing i *really* like about systemd is the unit sandboxing capabilities and how convenient it is\r\n\r\nhttps://wiki.archlinux.org/title/Systemd/Sandboxing\r\n\r\nheres an example from my tuwunel matrix systemd unit\r\n\r\n```\r\n[Unit]\r\nDescription=Tuwunel Matrix homeserver\r\n#Requires=tuwunel.socket\r\nWants=network-online.target\r\nAfter=network-online.target\r\nDocumentation=https://tuwunel.chat/\r\n\r\n[Service]\r\nUser=tuwunel\r\nGroup=tuwunel\r\nType=notify\r\nReloadSignal=SIGUSR1\r\nWatchdogSec=30\r\n\r\nTTYPath=/dev/tty25\r\nDeviceAllow=char-tty\r\nStandardInput=tty-force\r\nStandardOutput=tty\r\nStandardError=journal+console\r\nTTYReset=yes\r\n# uncomment to allow buffer to be cleared every restart\r\nTTYVTDisallocate=no\r\n\r\nTTYColumns=120\r\nTTYRows=40\r\n\r\nEnvironment=\"TUWUNEL_CONFIG=/etc/tuwunel/tuwunel.toml\"\r\n\r\nExecStart=/usr/sbin/tuwunel\r\n\r\nReadWritePaths=/var/lib/tuwunel /etc/tuwunel\r\n\r\nAmbientCapabilities=\r\nCapabilityBoundingSet=\r\n\r\nManagedOOMPreference=avoid\r\n\r\nMemoryHigh=3G\r\nMemoryMax=4G\r\n\r\nDevicePolicy=closed\r\nLockPersonality=yes\r\nMemoryDenyWriteExecute=yes\r\nNoNewPrivileges=yes\r\n#ProcSubset=pid\r\nProtectClock=yes\r\nProtectControlGroups=yes\r\nProtectHome=yes\r\nProtectHostname=yes\r\nProtectKernelLogs=yes\r\nProtectKernelModules=yes\r\nProtectKernelTunables=yes\r\nProtectProc=invisible\r\nProtectSystem=strict\r\nPrivateDevices=yes\r\nPrivateMounts=yes\r\nPrivateTmp=yes\r\nPrivateUsers=yes\r\nPrivateIPC=yes\r\nRemoveIPC=yes\r\nRestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX\r\nRestrictNamespaces=yes\r\nRestrictRealtime=yes\r\nRestrictSUIDSGID=yes\r\nSystemCallArchitectures=native\r\nSystemCallFilter=@system-service @resources\r\nSystemCallFilter=~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc\r\nSystemCallErrorNumber=EPERM\r\n#StateDirectory=tuwunel\r\n\r\nRuntimeDirectory=tuwunel\r\nRuntimeDirectoryMode=0750\r\n\r\nRestart=on-failure\r\nRestartSec=5\r\n\r\nTimeoutStopSec=2m\r\nTimeoutStartSec=2m\r\n\r\nStartLimitInterval=1m\r\nStartLimitBurst=5\r\n\r\n[Install]\r\nWantedBy=multi-user.target\r\nAlias=matrix-tuwunel.service\r\n```\r\n\r\nhow can i replicate that kind of stuff with openrc?", "sig": "bcd29c3bc8b4659ff7b4ae8671b8e032aa2aa0186de31333414f6fd0be7695872928fcaa6140f331e46c1f23c42f13900bc6ce1b832023d5f9c3097a582f7741" }