From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 1 Feb 2023 15:26:34 +0000 (+0000)
Subject: networkd: Install a systemd service file
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5d968c0188b8181db6f392f925d7875e12e7e21b;p=people%2Fms%2Fnetwork.git

networkd: Install a systemd service file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/.gitignore b/.gitignore
index e3bae672..9194c936 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,7 @@
 /src/inetcalc
 /src/libnetwork/libnetwork.pc
 /src/network.pc
+/src/networkd/networkd.service
 /src/ppp/ip-updown
 /src/systemd/*.service
 /test/nitsi/test/settings
diff --git a/Makefile.am b/Makefile.am
index 4802de3c..3a3f82c3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -65,6 +65,7 @@ sbin_PROGRAMS =
 dist_dbuspolicy_DATA =
 dist_dbussystembus_DATA =
 dist_polkitpolicy_DATA =
+systemdsystemunit_DATA =
 
 AM_CPPFLAGS = \
 	$(OUR_CPPFLAGS) \
@@ -342,6 +343,15 @@ dist_dbussystembus_DATA += \
 dist_polkitpolicy_DATA += \
 	src/networkd/org.ipfire.network1.policy
 
+systemdsystemunit_DATA += \
+	src/networkd/networkd.service
+
+EXTRA_DIST += \
+	src/networkd/networkd.service.in
+
+CLEANFILES += \
+	src/networkd/networkd.service
+
 # ------------------------------------------------------------------------------
 
 util_PROGRAMS = \
@@ -406,7 +416,7 @@ UNINSTALL_EXEC_HOOKS += ppp-uninstall-hook
 # ------------------------------------------------------------------------------
 
 if HAVE_SYSTEMD
-systemdsystemunit_DATA = \
+systemdsystemunit_DATA += \
 	src/systemd/firewall.service \
 	src/systemd/firewall-init.service \
 	src/systemd/network-init.service \
diff --git a/src/networkd/networkd.service.in b/src/networkd/networkd.service.in
new file mode 100644
index 00000000..43610239
--- /dev/null
+++ b/src/networkd/networkd.service.in
@@ -0,0 +1,45 @@
+[Unit]
+Description=Network Configuration
+Documentation=man:networkd.service(8)
+
+ConditionCapability=CAP_NET_ADMIN
+DefaultDependencies=no
+# systemd-udevd.service can be dropped once tuntap is moved to netlink
+After=systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
+Before=network.target multi-user.target shutdown.target
+Conflicts=shutdown.target
+Wants=network.target
+
+[Service]
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+BusName=org.ipfire.network1
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+DeviceAllow=char-* rw
+ExecStart=@sbindir@/networkd
+FileDescriptorStoreMax=512
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+ProtectProc=invisible
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectSystem=strict
+Restart=on-failure
+RestartSec=0
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+Type=notify-reload
+User=network
+WatchdogSec=3min
+
+[Install]
+WantedBy=multi-user.target
+Alias=dbus-org.ipfire.network1.service