From eb77fcfb721d66c2659364ff43493b65bf7b1fa5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <f@miniflux.net>
Date: Mon, 9 Nov 2020 21:06:38 -0800
Subject: [PATCH] systemd: keep /run writeable

Folks using a unix socket could use /run/miniflux/miniflux.sock without permission issue
---
 packaging/systemd/miniflux.service | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/packaging/systemd/miniflux.service b/packaging/systemd/miniflux.service
index 0edc41e0..a32075a4 100644
--- a/packaging/systemd/miniflux.service
+++ b/packaging/systemd/miniflux.service
@@ -1,3 +1,8 @@
+# Changing the systemd config can be done like this:
+# 1) Edit the config file: vim /usr/lib/systemd/system/miniflux.service
+# 2) Reload systemd: systemctl daemon-reload
+# 3) Restart the process: systemctl restart miniflux
+
 [Unit]
 Description=Miniflux Feed Reader
 After=network.target postgresql.service
@@ -9,15 +14,34 @@ User=miniflux
 ExecStart=/usr/bin/miniflux
 Restart=always
 
-# Hardening options:
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#NoNewPrivileges=
 NoNewPrivileges=true
+
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices=
 PrivateDevices=true
+
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectControlGroups=
 ProtectControlGroups=true
+
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=
 ProtectHome=true
+
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=
 ProtectKernelModules=true
+
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=
 ProtectKernelTunables=true
+
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=
 ProtectSystem=strict
+
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictRealtime=
 RestrictRealtime=true
 
+# Keep at least the /run folder writeable if Miniflux is configured to use a Unix socket.
+# For example, the socket could be LISTEN_ADDR=/run/miniflux/miniflux.sock
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths=
+ReadWritePaths=/run
+
 [Install]
 WantedBy=multi-user.target