first commit

xxx/deb/usr/lib/systemd/system/steffen-xxx.service

@@ -0,0 +1,41 @@
+[Unit]
+Description=steffen Xxx/Rfs Webservice
+After=network.target syslog.socket
+StartLimitBurst=5
+StartLimitIntervalSec=10
+
+[Service]
+Type=forking
+User=steffen-xxx
+Group=webapps
+WorkingDirectory=/opt/xxx/app
+ExecStart=/usr/bin/hypnotoad ./script/XxxApp
+ExecReload=/usr/bin/hypnotoad ./script/XxxApp
+Restart=on-failure
+PIDFile=/run/xxx.pid
+KillMode=process
+
+# Optional hardening to improve security
+ReadWritePaths=/opt/xxx
+NoNewPrivileges=yes
+MemoryDenyWriteExecute=true
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+#ProtectSystem=strict
+ProtectControlGroups=true
+#RestrictSUIDSGID=true
+RestrictRealtime=true
+LockPersonality=true
+#ProtectKernelLogs=true
+ProtectKernelTunables=true
+#ProtectHostname=true
+ProtectKernelModules=true
+PrivateUsers=true
+#ProtectClock=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target

xxx/deb/usr/lib/sysusers.d/steffen-xxx.conf

@@ -0,0 +1,5 @@
+# see https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html
+# Type Name    ID      GECOS                              Home                    Shell
+g webapps      -       -
+u steffen-xxx  -       "steffen Xxx"                        /opt/xxx               -
+m steffen-xxx  webapps

xxx/deb/usr/lib/tmpfiles.d/steffen-xxx.conf

@@ -0,0 +1,3 @@
+# see https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html
+# Type Path                       Mode User           Group          Age    Argument
+Z /opt/xxx                        -    steffen-xxx    steffen-xxx