june ✿ (6a756e65)one thing i really like about systemd is the unit sandboxing capabilities and how convenient it is
https://wiki.archlinux.org/title/Systemd/Sandboxing
heres an example from my tuwunel matrix systemd unit
[Unit]
Description=Tuwunel Matrix homeserver
#Requires=tuwunel.socket
Wants=network-online.target
After=network-online.target
Documentation=https://tuwunel.chat/
[Service]
User=tuwunel
Group=tuwunel
Type=notify
ReloadSignal=SIGUSR1
WatchdogSec=30
TTYPath=/dev/tty25
DeviceAllow=char-tty
StandardInput=tty-force
StandardOutput=tty
StandardError=journal+console
TTYReset=yes
# uncomment to allow buffer to be cleared every restart
TTYVTDisallocate=no
TTYColumns=120
TTYRows=40
Environment="TUWUNEL_CONFIG=/etc/tuwunel/tuwunel.toml"
ExecStart=/usr/sbin/tuwunel
ReadWritePaths=/var/lib/tuwunel /etc/tuwunel
AmbientCapabilities=
CapabilityBoundingSet=
ManagedOOMPreference=avoid
MemoryHigh=3G
MemoryMax=4G
DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
#ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
PrivateUsers=yes
PrivateIPC=yes
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service @resources
SystemCallFilter=~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc
SystemCallErrorNumber=EPERM
#StateDirectory=tuwunel
RuntimeDirectory=tuwunel
RuntimeDirectoryMode=0750
Restart=on-failure
RestartSec=5
TimeoutStopSec=2m
TimeoutStartSec=2m
StartLimitInterval=1m
StartLimitBurst=5
[Install]
WantedBy=multi-user.target
Alias=matrix-tuwunel.service
how can i replicate that kind of stuff with openrc?