[Unit] Description=Wesnoth-1.10 Server Daemon Documentation=https://www.wesnoth.org/wiki/ServerAdministration Documentation=man:wesnothd-1.10(6) After=network.target # They use by default the same port, may be changed with the -p option. Conflicts=wesnothd.service wesnothd-1.0.service wesnothd-1.2.service wesnothd-1.4.service wesnothd-1.6.service wesnothd-1.8.service wesnothd-1.12.service wesnothd-1.14.service wesnothd-devel.service wesnothd-git.service [Service] # If wesnothd is started from within the game it runs under a different user. # Deleting the pipe resets owner, group and mode. ExecStartPre=/bin/rm -f /run/wesnothd-1.10/socket ExecStart=/usr/bin/wesnothd-1.10 # You can use -c to specify a same configuration file # (and make sure wesnothd has the required access permissions). # Remove remaining administration pipe: ExecStopPost=/bin/rm -f /run/wesnothd-1.10/socket SyslogIdentifier=Wesnothd-1.10 # Apply security settings only to ExecStart, so the Pre & Post steps run as root PermissionsStartOnly=yes WorkingDirectory=/run/wesnothd-1.10 User=nobody Group=users # Additional security-related features: PrivateTmp=yes PrivateDevices=yes ProtectSystem=strict ProtectHome=yes # When specifying with the -c option a file in the home directory, # set ProtectHome=read-only and whitelist the directory or file with # ReadWritePaths. ReadWritePaths=/run/wesnothd-1.10 InaccessiblePaths=/usr/include InaccessiblePaths=/usr/src InaccessiblePaths=/boot InaccessiblePaths=/media InaccessiblePaths=/mnt InaccessiblePaths=/srv InaccessiblePaths=/opt InaccessiblePaths=/var NoNewPrivileges=yes RestrictAddressFamilies=AF_INET AF_UNIX RestrictRealtime=yes MemoryDenyWriteExecute=yes SystemCallArchitectures=native ProtectControlGroups=yes ProtectKernelTunables=yes ProtectKernelModules=yes RestrictNamespaces=yes LockPersonality=yes [Install] WantedBy=multi-user.target