Further enhance systemd unit file
- Add more comments/documentation. - Add dependencies for services and proxy scanners. - Add more limit configurations. - Allow AF_UNIX address family, required for syslog!
This commit is contained in:
parent
8e09180295
commit
74f021fb44
|
@ -1,24 +1,40 @@
|
||||||
|
# ngIRCd systemd service unit.
|
||||||
|
# See systemd(1), systemd.unit(5), systemd.service(5), systemd.exec(5).
|
||||||
|
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Next Generation IRC Daemon
|
Description=Next Generation IRC Daemon
|
||||||
Documentation=man:ngircd(8) man:ngircd.conf(5) https://ngircd.barton.de
|
Documentation=man:ngircd(8) man:ngircd.conf(5) https://ngircd.barton.de
|
||||||
After=network.target
|
After=network.target
|
||||||
|
Wants=anope.service atheme.service irc-services.service
|
||||||
|
Wants=bopm.service
|
||||||
|
Before=anope.service atheme.service irc-services.service
|
||||||
|
Before=bopm.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=forking
|
Type=forking
|
||||||
User=irc
|
User=irc
|
||||||
Group=irc
|
Group=irc
|
||||||
|
# Settings & limits:
|
||||||
CapabilityBoundingSet=CAP_SYS_CHROOT CAP_NET_BIND_SERVICE
|
CapabilityBoundingSet=CAP_SYS_CHROOT CAP_NET_BIND_SERVICE
|
||||||
PrivateTmp=yes
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
ProtectHome=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
ProtectSystem=full
|
ProtectSystem=full
|
||||||
ProtectHome=true
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||||
NoNewPrivileges=true
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_INET AF_INET6
|
|
||||||
RuntimeDirectory=ircd
|
RuntimeDirectory=ircd
|
||||||
RuntimeDirectoryMode=750
|
RuntimeDirectoryMode=750
|
||||||
|
# Try to load "default files" from any Debian package variant to keep this
|
||||||
|
# unit generic.
|
||||||
EnvironmentFile=-/etc/default/ngircd
|
EnvironmentFile=-/etc/default/ngircd
|
||||||
EnvironmentFile=-/etc/default/ngircd-full
|
EnvironmentFile=-/etc/default/ngircd-full
|
||||||
EnvironmentFile=-/etc/default/ngircd-full-dbg
|
EnvironmentFile=-/etc/default/ngircd-full-dbg
|
||||||
|
# Start ngIRCd. Note: systemd doesn't allow to use $DAEMON here!
|
||||||
ExecStart=/usr/sbin/ngircd $PARAMS
|
ExecStart=/usr/sbin/ngircd $PARAMS
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
|
Loading…
Reference in New Issue