| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 |
- [Unit]
- Description=decentralized network whois daemon
- Documentation=https://codeberg.org/mark22k/dnet-whois
- After=network.target
- [Service]
- RestrictAddressFamilies=AF_INET AF_INET6
- PrivateTmp=yes
- DeviceAllow=
- PrivateDevices=true
- PrivateMounts=true
- ProtectClock=true
- ProtectControlGroups=true
- ProtectKernelLogs=true
- ProtectKernelModules=true
- ProtectKernelTunables=true
- ProtectProc=noaccess
- ProtectSystem=true
- ProtectHome=read-only
- RestrictSUIDSGID=true
- SystemCallArchitectures=native
- SystemCallFilter=~@clock
- SystemCallFilter=~@debug
- SystemCallFilter=~@module
- SystemCallFilter=~@mount
- SystemCallFilter=~@raw-io
- SystemCallFilter=~@reboot
- SystemCallFilter=~@swap
- SystemCallFilter=~@privileged
- SystemCallFilter=~@resources
- SystemCallFilter=~@cpu-emulation
- SystemCallFilter=~@obsolete
- RestrictNamespaces=true
- RestrictRealtime=true
- LockPersonality=true
- MemoryDenyWriteExecute=true
- RemoveIPC=true
- UMask=600
- ProtectHostname=true
- ProcSubset=pid
- PermissionsStartOnly=true
- LimitNOFILE=1048576
- LimitNPROC=512
- CapabilityBoundingSet=CAP_NET_BIND_SERVICE
- AmbientCapabilities=CAP_NET_BIND_SERVICE
- NoNewPrivileges=true
- User=marek
- Group=marek
- ExecStart=/usr/bin/ruby /home/dnet-whois/dnet-whois/lib/main.rb /home/dnet-whois/config.json
- ExecReload=/bin/kill -SIGUSR1 $MAINPID
- Restart=on-failure
- [Install]
- WantedBy=multi-user.target
|
