upgpkg: cloudflared 2021.8.5-1

* New upstream release.
* Skip previous release due to quic-go dependency mismatch.
  Ref: https://github.com/cloudflare/cloudflared/issues/444

1 files changed, 56 insertions, 0 deletions

diff --git a/systemd.service b/systemd.service
new file mode 100644
index 000000000000..08dc89503416
--- /dev/null
+++ b/systemd.service
@@ -0,0 +1,56 @@
+[Unit]
+Description=Argo Tunnel client daemon for Cloudflared
+After=network.target
+Wants=network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/cloudflared --config /etc/cloudflared/config.yml --no-autoupdate
+User=cloudflared
+Group=cloudflared
+Restart=on-failure
+RestartSec=5s
+TimeoutStartSec=0
+
+# Allow cloudflared access to logfile
+ReadWritePaths=/var/log/cloudflared.log
+
+# Allow cloudflared to bind ports in the range of 0-1024 and restrict it to
+# that capability
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# If cloudflared is run at ports >1024, you should apply these options via a
+# drop-in file
+#CapabilityBoundingSet=
+#AmbientCapabilities=
+#PrivateUsers=yes
+
+NoNewPrivileges=true
+LimitNOFILE=1048576
+UMask=0077
+
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target