Amna | f38fa10 | 2024-02-01 16:39:30 -0500 | [diff] [blame] | 1 | [Unit] |
| 2 | Description=Dnc server |
| 3 | Documentation=man:dnc(1) |
| 4 | After=network.target |
| 5 | |
| 6 | [Service] |
| 7 | Type=simple |
| 8 | User=dnc |
| 9 | Group=dnc |
| 10 | ExecStart=@bindir@/dnc -l -d @sysconfdir@/dhtnet/dnc.yaml -c @sysconfdir@/dhtnet/id/id-server.crt -p @sysconfdir@/dhtnet/id/id-server.pem |
| 11 | Restart=on-failure |
| 12 | RestartSec=2s |
| 13 | LimitNOFILE=65536 |
| 14 | DynamicUser=yes |
| 15 | KillMode=process |
| 16 | WorkingDirectory=/tmp |
| 17 | |
| 18 | # Hardening |
| 19 | CapabilityBoundingSet=CAP_NET_BIND_SERVICE |
| 20 | LockPersonality=yes |
| 21 | NoNewPrivileges=yes |
| 22 | PrivateDevices=yes |
| 23 | PrivateTmp=yes |
| 24 | PrivateUsers=yes |
| 25 | ProtectClock=yes |
| 26 | ProtectControlGroups=yes |
| 27 | ProtectHome=yes |
| 28 | ProtectHostname=yes |
| 29 | ProtectKernelLogs=yes |
| 30 | ProtectKernelModules=yes |
| 31 | ProtectKernelTunables=yes |
| 32 | ProtectSystem=strict |
| 33 | ReadOnlyDirectories=/ |
| 34 | ReadWriteDirectories=-/proc/self |
| 35 | ReadWriteDirectories=-/var/run |
| 36 | RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 |
| 37 | RestrictNamespaces=yes |
| 38 | RestrictRealtime=yes |
| 39 | SystemCallArchitectures=native |
| 40 | SystemCallFilter=@system-service |
| 41 | |
| 42 | [Install] |
| 43 | WantedBy=multi-user.target |