[thirdparty/pdns.git] / pdns / ixfrdist.service.in

[Unit]
Description=PowerDNS IXFR Distributor
Documentation=man:ixfrdist(1)
Documentation=man:ixfrdist.yml(5)
Documentation=https://doc.powerdns.com
Wants=network-online.target
After=network-online.target time-sync.target

[Service]
Type=simple
ExecStart=@bindir@/ixfrdist
Restart=on-failure
RestartSec=1
StartLimitInterval=0

# Sandboxing
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
# Setting PrivateUsers=true prevents us from opening our sockets
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
ProtectProc=invisible
PrivateIPC=true
RemoveIPC=true
DevicePolicy=closed
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target
Commit	Line	Data
b14d512f PL	1	[Unit]
	2	Description=PowerDNS IXFR Distributor
	3	Documentation=man:ixfrdist(1)
0a7eb290	4	Documentation=man:ixfrdist.yml(5)
b14d512f PL	5	Documentation=https://doc.powerdns.com
b14d512f PL	6	Wants=network-online.target
c6725600	7	After=network-online.target time-sync.target
b14d512f PL	8
	9	[Service]
	10	Type=simple
b14d512f PL	11	ExecStart=@bindir@/ixfrdist
	12	Restart=on-failure
	13	RestartSec=1
	14	StartLimitInterval=0
ddf3fafa RG	15
ddf3fafa RG	16	# Sandboxing
afa0d592	17	CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
ddf3fafa	18	LockPersonality=true
b14d512f	19	NoNewPrivileges=true
ddf3fafa RG	20	PrivateDevices=true
	21	PrivateTmp=true
	22	# Setting PrivateUsers=true prevents us from opening our sockets
	23	ProtectClock=true
	24	ProtectControlGroups=true
b14d512f	25	ProtectHome=true
ddf3fafa RG	26	ProtectHostname=true
	27	ProtectKernelLogs=true
	28	ProtectKernelModules=true
	29	ProtectKernelTunables=true
	30	ProtectSystem=full
b14d512f	31	RestrictAddressFamilies=AF_INET AF_INET6
ddf3fafa RG	32	RestrictNamespaces=true
	33	RestrictRealtime=true
	34	RestrictSUIDSGID=true
	35	SystemCallArchitectures=native
	36	SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
3a0c3b68	37	ProtectProc=invisible
77a8401f PL	38	PrivateIPC=true
77a8401f PL	39	RemoveIPC=true
a4e4a9d0	40	DevicePolicy=closed
3b78486a	41	MemoryDenyWriteExecute=true
b14d512f PL	42
	43	[Install]
	44	WantedBy=multi-user.target