dnc: fix systemd service
Remove the needs of dnc user. We should not force admins to create
a new dedicated user.
Use a env variable to cache data and add fallbacks to avoid any crash
Change-Id: If8fa2ced856c36f2d63870f9b6a6fc7839d91040
diff --git a/tools/dnc/systemd/dnc.service.in b/tools/dnc/systemd/dnc.service.in
index dedcea4..3f0568e 100644
--- a/tools/dnc/systemd/dnc.service.in
+++ b/tools/dnc/systemd/dnc.service.in
@@ -2,42 +2,20 @@
Description=Dnc server
Documentation=man:dnc(1)
After=network.target
+Wants=network-online.target
+Documentation=https://git.jami.net/savoirfairelinux/dhtnet/blob/master/tools/dvpn/README.md
[Service]
-Type=simple
-User=dnc
-Group=dnc
+Type=exec
+Environment="DHTNET_CACHE_DIR=/var/run/dhtnet"
ExecStart=@bindir@/dnc -l -d @sysconfdir@/dhtnet/dnc.yaml -c @sysconfdir@/dhtnet/id/id-server.crt -p @sysconfdir@/dhtnet/id/id-server.pem
Restart=on-failure
-RestartSec=2s
-LimitNOFILE=65536
-DynamicUser=yes
-KillMode=process
-WorkingDirectory=/tmp
-
-# Hardening
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-LockPersonality=yes
-NoNewPrivileges=yes
-PrivateDevices=yes
-PrivateTmp=yes
-PrivateUsers=yes
-ProtectClock=yes
-ProtectControlGroups=yes
-ProtectHome=yes
-ProtectHostname=yes
-ProtectKernelLogs=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
ProtectSystem=strict
-ReadOnlyDirectories=/
-ReadWriteDirectories=-/proc/self
-ReadWriteDirectories=-/var/run
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-RestrictNamespaces=yes
-RestrictRealtime=yes
-SystemCallArchitectures=native
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+PrivateDevices=yes
SystemCallFilter=@system-service
[Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
\ No newline at end of file