derper.service


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

[Unit]
Description=derper service
Documentation=https://github.com/tailscale/tailscale/tree/main/cmd/derper
Requires=network-online.target
After=network-online.target

[Service]
# Basic Configuration
ExecStartPre=/usr/bin/sh /etc/derper/openssl-cert-gen.sh
ExecStart=/usr/bin/derper $DERPER_ARGS
ExecReload=/usr/bin/kill -HUP $MAINPID
Restart=on-failure

# User and Directory Configuration
DynamicUser=yes
StateDirectory=derper
WorkingDirectory=/var/lib/derper
EnvironmentFile=-/etc/conf.d/derper

# File Permission and Path Protections
ReadOnlyPaths=/etc/derper
ReadOnlyPaths=-/etc/conf.d/derper
ReadWritePaths=/var/lib/derper

# File Descriptor Limit
LimitNOFILE=65535

# Security Settings
NoNewPrivileges=true
LockPersonality=true
ProtectSystem=full
ProtectHome=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectHostname=true
MemoryDenyWriteExecute=yes
RestrictNamespaces=yes
RestrictRealtime=yes
PrivateDevices=yes

# Capability Settings
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target