networkd: Install a systemd service file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/.gitignore b/.gitignore
index e3bae6723c696c79dc7623b061cc975cafa01ff0..9194c93693c4f7689a647c4ae085a1e9feeb5740 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -8,6 +8,7 @@
 /src/inetcalc
 /src/libnetwork/libnetwork.pc
 /src/network.pc
+/src/networkd/networkd.service
 /src/ppp/ip-updown
 /src/systemd/*.service
 /test/nitsi/test/settings

diff --git a/Makefile.am b/Makefile.am
index 4802de3cfdf97ede259969e5528b3a512d7c603d..3a3f82c3e0b5a29f40507bbb454da67973307ece 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -65,6 +65,7 @@ sbin_PROGRAMS =
 dist_dbuspolicy_DATA =
 dist_dbussystembus_DATA =
 dist_polkitpolicy_DATA =
+systemdsystemunit_DATA =
 
 AM_CPPFLAGS = \
        $(OUR_CPPFLAGS) \
@@ -342,6 +343,15 @@ dist_dbussystembus_DATA += \
 dist_polkitpolicy_DATA += \
        src/networkd/org.ipfire.network1.policy
 
+systemdsystemunit_DATA += \
+       src/networkd/networkd.service
+
+EXTRA_DIST += \
+       src/networkd/networkd.service.in
+
+CLEANFILES += \
+       src/networkd/networkd.service
+
 # ------------------------------------------------------------------------------
 
 util_PROGRAMS = \
@@ -406,7 +416,7 @@ UNINSTALL_EXEC_HOOKS += ppp-uninstall-hook
 # ------------------------------------------------------------------------------
 
 if HAVE_SYSTEMD
-systemdsystemunit_DATA = \
+systemdsystemunit_DATA += \
        src/systemd/firewall.service \
        src/systemd/firewall-init.service \
        src/systemd/network-init.service \

diff --git a/src/networkd/networkd.service.in b/src/networkd/networkd.service.in
new file mode 100644 (file)
index 0000000..4361023
--- /dev/null
+++ b/src/networkd/networkd.service.in
@@ -0,0 +1,45 @@
+[Unit]
+Description=Network Configuration
+Documentation=man:networkd.service(8)
+
+ConditionCapability=CAP_NET_ADMIN
+DefaultDependencies=no
+# systemd-udevd.service can be dropped once tuntap is moved to netlink
+After=systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
+Before=network.target multi-user.target shutdown.target
+Conflicts=shutdown.target
+Wants=network.target
+
+[Service]
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+BusName=org.ipfire.network1
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+DeviceAllow=char-* rw
+ExecStart=@sbindir@/networkd
+FileDescriptorStoreMax=512
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+ProtectProc=invisible
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectSystem=strict
+Restart=on-failure
+RestartSec=0
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+Type=notify-reload
+User=network
+WatchdogSec=3min
+
+[Install]
+WantedBy=multi-user.target
+Alias=dbus-org.ipfire.network1.service