dnc: add systemd
Change-Id: I6cbf939f35ddbd4b72d30e2bf43ad59f5e6a6658
diff --git a/tools/dnc/systemd/dnc.service.in b/tools/dnc/systemd/dnc.service.in
new file mode 100644
index 0000000..dedcea4
--- /dev/null
+++ b/tools/dnc/systemd/dnc.service.in
@@ -0,0 +1,43 @@
+[Unit]
+Description=Dnc server
+Documentation=man:dnc(1)
+After=network.target
+
+[Service]
+Type=simple
+User=dnc
+Group=dnc
+ExecStart=@bindir@/dnc -l -d @sysconfdir@/dhtnet/dnc.yaml -c @sysconfdir@/dhtnet/id/id-server.crt -p @sysconfdir@/dhtnet/id/id-server.pem
+Restart=on-failure
+RestartSec=2s
+LimitNOFILE=65536
+DynamicUser=yes
+KillMode=process
+WorkingDirectory=/tmp
+
+# Hardening
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+LockPersonality=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/proc/self
+ReadWriteDirectories=-/var/run
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target