nlnetlabs-rtrtr/pkg/common/rtrtr.rtrtr.service

[Unit]
Description=RTRTR
Documentation=https://nlnetlabs.nl/projects/rpki/rtrtr/
After=network.target

[Service]
ExecStart=/usr/bin/rtrtr --config=/etc/rtrtr.conf
Type=exec
Restart=on-failure
User=rtrtr
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
StateDirectory=rtrtr
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target
Initial attempt at DEB packaging for RTRTR. Creates a home dir as Lintian insists when using --system that --home also be used. Includes a default /etc/rtrtr.conf config file that logs to syslog and uses an any unit with no sources, intended to be customized by the user and so the installed systemd service is not enabled by default. 2021-03-10 16:45:19 +01:00			`[Unit]`
			`Description=RTRTR`
			`Documentation=https://nlnetlabs.nl/projects/rpki/rtrtr/`
			`After=network.target`

			`[Service]`
			`ExecStart=/usr/bin/rtrtr --config=/etc/rtrtr.conf`
			`Type=exec`
			`Restart=on-failure`
			`User=rtrtr`
			`AmbientCapabilities=CAP_NET_BIND_SERVICE`
			`CapabilityBoundingSet=CAP_NET_BIND_SERVICE`
			`LockPersonality=yes`
			`MemoryDenyWriteExecute=yes`
			`NoNewPrivileges=yes`
			`PrivateDevices=yes`
			`PrivateTmp=yes`
			`ProtectControlGroups=yes`
			`ProtectHome=yes`
			`ProtectKernelModules=yes`
			`ProtectKernelTunables=yes`
			`ProtectSystem=strict`
			`RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6`
			`RestrictNamespaces=yes`
			`RestrictRealtime=yes`
			`StateDirectory=rtrtr`
			`SystemCallArchitectures=native`
			`SystemCallErrorNumber=EPERM`
			`SystemCallFilter=@system-service`

			`[Install]`
			`WantedBy=multi-user.target`