Last active
April 15, 2019 11:11
-
-
Save LoadLow/faa18766725c0abbc8c1e7335e674ed8 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Unit] | |
| Description=BIRD routing daemon | |
| #After=network-online.target | |
| #Wants=network-online.target | |
| After=network.target | |
| [Service] | |
| Type=forking | |
| ExecStart=/usr/sbin/bird -c /etc/bird.conf -u bird -g bird | |
| ExecReload=/usr/bin/birdc configure | |
| ExecStop=/usr/bin/birdc down | |
| Group=bird | |
| NoNewPrivileges=yes | |
| PrivateTmp=yes | |
| ProtectSystem=strict | |
| ProtectControlGroups=yes | |
| ProtectKernelModules=yes | |
| RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK | |
| RestrictRealtime=yes | |
| ReadWritePaths=/var/run | |
| MemoryDenyWriteExecute=yes | |
| CapabilityBoundingSet=CAP_FOWNER CAP_CHOWN CAP_SETUID CAP_SETGID CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW | |
| SystemCallArchitectures=native | |
| SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources | |
| [Install] | |
| WantedBy=multi-user.target |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Unit] | |
| Description=NSD Name Server Daemon | |
| After=network.target | |
| [Service] | |
| PIDFile=/run/nsd/nsd.pid | |
| ExecStart=/usr/bin/nsd -d -c /etc/nsd/nsd.conf | |
| ExecReload=/bin/kill -HUP $MAINPID | |
| PermissionsStartOnly=true | |
| KillMode=process | |
| Restart=always | |
| CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_CHOWN | |
| MemoryDenyWriteExecute=true | |
| NoNewPrivileges=true | |
| PrivateDevices=true | |
| PrivateTmp=true | |
| ProtectHome=true | |
| ProtectControlGroups=true | |
| ProtectKernelModules=true | |
| ProtectKernelTunables=true | |
| ProtectSystem=strict | |
| ReadWritePaths=/etc/nsd /run /var/db/nsd | |
| RestrictAddressFamilies=AF_INET AF_UNIX AF_INET6 | |
| RestrictRealtime=true | |
| SystemCallArchitectures=native | |
| SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources | |
| [Install] | |
| WantedBy=multi-user.target |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Unit] | |
| Description=Unbound DNS Resolver | |
| Wants=nss-lookup.target | |
| Before=network-online.target nss-lookup.target | |
| After=network.target | |
| [Service] | |
| ExecStart=/usr/bin/unbound | |
| ExecReload=/bin/kill -HUP $MAINPID | |
| Restart=always | |
| PermissionsStartOnly=true | |
| KillMode=process | |
| LimitNOFILE=4600 | |
| CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT | |
| MemoryDenyWriteExecute=true | |
| NoNewPrivileges=true | |
| PrivateDevices=true | |
| PrivateTmp=true | |
| ProtectHome=true | |
| ProtectControlGroups=true | |
| ProtectKernelModules=true | |
| ProtectKernelTunables=true | |
| ProtectSystem=strict | |
| ReadWritePaths=/etc/unbound /run | |
| RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX | |
| RestrictRealtime=true | |
| SystemCallArchitectures=native | |
| SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete | |
| [Install] | |
| WantedBy=multi-user.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment