| [Unit] |
| Description=Dnc server |
| Documentation=man:dnc(1) |
| After=network.target |
| |
| [Service] |
| Type=simple |
| User=dnc |
| Group=dnc |
| ExecStart=@bindir@/dnc -l -d @sysconfdir@/dhtnet/dnc.yaml -c @sysconfdir@/dhtnet/id/id-server.crt -p @sysconfdir@/dhtnet/id/id-server.pem |
| Restart=on-failure |
| RestartSec=2s |
| LimitNOFILE=65536 |
| DynamicUser=yes |
| KillMode=process |
| WorkingDirectory=/tmp |
| |
| # Hardening |
| CapabilityBoundingSet=CAP_NET_BIND_SERVICE |
| LockPersonality=yes |
| NoNewPrivileges=yes |
| PrivateDevices=yes |
| PrivateTmp=yes |
| PrivateUsers=yes |
| ProtectClock=yes |
| ProtectControlGroups=yes |
| ProtectHome=yes |
| ProtectHostname=yes |
| ProtectKernelLogs=yes |
| ProtectKernelModules=yes |
| ProtectKernelTunables=yes |
| ProtectSystem=strict |
| ReadOnlyDirectories=/ |
| ReadWriteDirectories=-/proc/self |
| ReadWriteDirectories=-/var/run |
| RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 |
| RestrictNamespaces=yes |
| RestrictRealtime=yes |
| SystemCallArchitectures=native |
| SystemCallFilter=@system-service |
| |
| [Install] |
| WantedBy=multi-user.target |