diff options
author | George Rawlinson | 2021-08-27 20:59:31 +0000 |
---|---|---|
committer | George Rawlinson | 2021-08-27 20:59:31 +0000 |
commit | dc9e72390fd1dbd84816c4ed61bab19b654378c2 (patch) | |
tree | 01ff09912585b7d3353d83b2a0f6ce880e05815f /systemd.service | |
parent | 84e2902b31cc9b34f8be7038c3dfaa7421932e86 (diff) | |
download | aur-dc9e72390fd1dbd84816c4ed61bab19b654378c2.tar.gz |
upgpkg: cloudflared 2021.8.5-1
* New upstream release.
* Skip previous release due to quic-go dependency mismatch.
Ref: https://github.com/cloudflare/cloudflared/issues/444
Diffstat (limited to 'systemd.service')
-rw-r--r-- | systemd.service | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/systemd.service b/systemd.service new file mode 100644 index 000000000000..08dc89503416 --- /dev/null +++ b/systemd.service @@ -0,0 +1,56 @@ +[Unit] +Description=Argo Tunnel client daemon for Cloudflared +After=network.target +Wants=network.target + +[Service] +Type=notify +ExecStart=/usr/bin/cloudflared --config /etc/cloudflared/config.yml --no-autoupdate +User=cloudflared +Group=cloudflared +Restart=on-failure +RestartSec=5s +TimeoutStartSec=0 + +# Allow cloudflared access to logfile +ReadWritePaths=/var/log/cloudflared.log + +# Allow cloudflared to bind ports in the range of 0-1024 and restrict it to +# that capability +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE + +# If cloudflared is run at ports >1024, you should apply these options via a +# drop-in file +#CapabilityBoundingSet= +#AmbientCapabilities= +#PrivateUsers=yes + +NoNewPrivileges=true +LimitNOFILE=1048576 +UMask=0077 + +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true + +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target |