2019-05-23 18:07:31 +02:00
|
|
|
[Unit]
|
|
|
|
|
Description=Routinator 3000
|
|
|
|
|
Documentation=man:routinator(1)
|
|
|
|
|
After=network.target
|
|
|
|
|
|
|
|
|
|
[Service]
|
2019-05-29 17:56:21 +02:00
|
|
|
ExecStart=/usr/bin/routinator --config=/etc/routinator/routinator.conf --syslog server
|
2019-05-23 18:07:31 +02:00
|
|
|
Type=exec
|
2019-12-29 16:15:55 +01:00
|
|
|
Restart=on-failure
|
2019-05-23 18:07:31 +02:00
|
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
2020-09-29 13:48:16 +02:00
|
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
|
2019-05-23 18:07:31 +02:00
|
|
|
LockPersonality=yes
|
|
|
|
|
MemoryDenyWriteExecute=yes
|
|
|
|
|
NoNewPrivileges=yes
|
|
|
|
|
PrivateDevices=yes
|
|
|
|
|
PrivateTmp=yes
|
|
|
|
|
ProtectControlGroups=yes
|
|
|
|
|
ProtectHome=yes
|
|
|
|
|
ProtectKernelModules=yes
|
|
|
|
|
ProtectKernelTunables=yes
|
|
|
|
|
ProtectSystem=strict
|
|
|
|
|
ReadWritePaths=/var/lib/routinator/
|
|
|
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
|
|
|
RestrictNamespaces=yes
|
|
|
|
|
RestrictRealtime=yes
|
|
|
|
|
StateDirectory=routinator
|
|
|
|
|
SystemCallArchitectures=native
|
|
|
|
|
SystemCallErrorNumber=EPERM
|
|
|
|
|
SystemCallFilter=@system-service
|
|
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
|
WantedBy=multi-user.target
|
|
|
|
|
|
