gotosocial/example/gotosocial.service

[Unit]
Description=GoToSocial Server

[Service]

# make sure this user and group exist and have read and write permissions in your GoToSocial folder.
# if they do not exist yet create them with "sudo useradd -r gotosocial"
# then give them permission with "chown -R gotosocial:gotosocial /gotosocial" (path to your gotosocial folder)
# you can adjust the users name according to your setup
User=gotosocial
Group=gotosocial

Type=exec
Restart=on-failure

# For speedier restart times, you can uncomment the following Environment line to have GoToSocial cache compiled
# Wazero artifacts in the given directory between restarts, so that it doesn't need to compile on startup every time.
#
# You may need to change the exact path depending on where you've got GoToSocial installed, for example if you've
# installed at "~/gotosocial" then change the value to "GTS_WAZERO_COMPILATION_CACHE=~/gotosocial/.cache".
#
# Whatever you do, make sure the dir exists and that the gotosocial user has permission to write + read from it.
#Environment="GTS_WAZERO_COMPILATION_CACHE=/gotosocial/.cache"

# If you have set `metrics-enabled` to `true` in your GoToSocial config file, and you want
# to expose Prometheus metrics at localhost:9464/metrics, uncomment the following two lines:
#Environment="OTEL_METRICS_EXPORTER=prometheus"
#Environment="OTEL_METRICS_PRODUCERS=prometheus"

# change if your path to the GoToSocial binary is different
ExecStart=/gotosocial/gotosocial --config-path config.yaml server start
WorkingDirectory=/gotosocial

# Sandboxing options to harden security
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap

# Denying access to capabilities that should not be relevant
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
# You might need this if you are running as non-root on a privileged port (below 1024)
#AmbientCapabilities=CAP_NET_BIND_SERVICE


[Install]
WantedBy=default.target

# After you are done editing this file move it to "/etc/systemd/system/gotosocial.service" and enable the service with "sudo systemctl enable --now gotosocial.service"
add example systemd service (#341) 2021-12-12 15:48:02 +01:00			`[Unit]`
			`Description=GoToSocial Server`

			`[Service]`

			`# make sure this user and group exist and have read and write permissions in your GoToSocial folder.`
			`# if they do not exist yet create them with "sudo useradd -r gotosocial"`
			`# then give them permission with "chown -R gotosocial:gotosocial /gotosocial" (path to your gotosocial folder)`
			`# you can adjust the users name according to your setup`
			`User=gotosocial`
			`Group=gotosocial`

			`Type=exec`
			`Restart=on-failure`

[chore/docs] Add `/gotosocial/.cache` to Docker container, document `GTS_WAZERO_COMPILATION_CACHE` (#3425) * [chore/docs] Add `/gotosocial/.cache` to Docker container, document `GTS_WAZERO_COMPILATION_CACHE` * update wazero artifact size guesstimate 2024-10-13 21:51:31 +02:00			`# For speedier restart times, you can uncomment the following Environment line to have GoToSocial cache compiled`
			`# Wazero artifacts in the given directory between restarts, so that it doesn't need to compile on startup every time.`
			`#`
			`# You may need to change the exact path depending on where you've got GoToSocial installed, for example if you've`
			`# installed at "~/gotosocial" then change the value to "GTS_WAZERO_COMPILATION_CACHE=~/gotosocial/.cache".`
			`#`
			`# Whatever you do, make sure the dir exists and that the gotosocial user has permission to write + read from it.`
			`#Environment="GTS_WAZERO_COMPILATION_CACHE=/gotosocial/.cache"`

[chore/docs] Fix Prometheus metric names for Gin, include example Grafana dash, update docs (#4443) # Description > If this is a code change, please include a summary of what you've coded, and link to the issue(s) it closes/implements. > > If this is a documentation change, please briefly describe what you've changed and why. This pull request updates some of our inconsistent metric naming, and adds an example Grafana dashboard using all the most up-to-date metrics names, and updates our docs to describe the latest way of setting up metrics. Closes https://codeberg.org/superseriousbusiness/gotosocial/issues/4362 Closes https://codeberg.org/superseriousbusiness/gotosocial/issues/4055 ## Checklist Please put an x inside each checkbox to indicate that you've read and followed it: `[ ]` -> `[x]` If this is a documentation change, only the first checkbox must be filled (you can delete the others if you want). - [x] I/we have read the [GoToSocial contribution guidelines](https://codeberg.org/superseriousbusiness/gotosocial/src/branch/main/CONTRIBUTING.md). - [x] I/we have discussed the proposed changes already, either in an issue on the repository, or in the Matrix chat. - [x] I/we have not leveraged AI to create the proposed changes. - [x] I/we have performed a self-review of added code. - [x] I/we have written code that is legible and maintainable by others. - [x] I/we have commented the added code, particularly in hard-to-understand areas. - [x] I/we have made any necessary changes to documentation. - [ ] I/we have added tests that cover new code. - [x] I/we have run tests and they pass locally with the changes. - [x] I/we have run `go fmt ./...` and `golangci-lint run`. Co-authored-by: kim <grufwub@gmail.com> Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4443 Reviewed-by: kim <gruf@noreply.codeberg.org> Co-authored-by: tobi <tobi.smethurst@protonmail.com> Co-committed-by: tobi <tobi.smethurst@protonmail.com> 2025-09-18 16:48:45 +02:00			# If you have set `metrics-enabled` to `true` in your GoToSocial config file, and you want
			`# to expose Prometheus metrics at localhost:9464/metrics, uncomment the following two lines:`
			`#Environment="OTEL_METRICS_EXPORTER=prometheus"`
			`#Environment="OTEL_METRICS_PRODUCERS=prometheus"`

add example systemd service (#341) 2021-12-12 15:48:02 +01:00			`# change if your path to the GoToSocial binary is different`
			`ExecStart=/gotosocial/gotosocial --config-path config.yaml server start`
			`WorkingDirectory=/gotosocial`

[feature/security] Add systemd sandboxing options to harden security (#440) 2022-03-28 13:37:16 +02:00			`# Sandboxing options to harden security`
			`# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html`
			`NoNewPrivileges=yes`
			`PrivateTmp=yes`
			`PrivateDevices=yes`
			`RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6`
			`RestrictNamespaces=yes`
			`RestrictRealtime=yes`
			`DevicePolicy=closed`
			`ProtectSystem=full`
			`ProtectControlGroups=yes`
			`ProtectKernelModules=yes`
			`ProtectKernelTunables=yes`
			`LockPersonality=yes`
			`SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap`

			`# Denying access to capabilities that should not be relevant`
			`# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html`
			`CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD`
			`CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE`
			`CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT`
			`CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK`
			`CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM`
			`CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG`
			`CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE`
			`CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW`
			`CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG`
[docs] Mention `AmbientCapabilities=CAP_NET_BIND_SERVICE` in example systemd service (#576) 2022-05-16 10:55:21 +02:00			`# You might need this if you are running as non-root on a privileged port (below 1024)`
			`#AmbientCapabilities=CAP_NET_BIND_SERVICE`
[feature/security] Add systemd sandboxing options to harden security (#440) 2022-03-28 13:37:16 +02:00

add example systemd service (#341) 2021-12-12 15:48:02 +01:00			`[Install]`
			`WantedBy=default.target`

			`# After you are done editing this file move it to "/etc/systemd/system/gotosocial.service" and enable the service with "sudo systemctl enable --now gotosocial.service"`