blob: 77bfe3004d530a27a211200b29a106da26fe8d50 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
[Unit]
Description=Simple DNS proxy with DoH, DoT, and DNSCrypt support by AdguardTeam
After=network.target
[Service]
Restart=always
DynamicUser=true
StateDirectory=dnsproxy-adguard
WorkingDirectory=/var/lib/dnsproxy-adguard
EnvironmentFile=/etc/conf.d/dnsproxy-adguard
ExecStart=/usr/bin/dnsproxy-adguard -l $ADDRESS -p $PORT $UPSTREAMS $OTHER_PARAMS
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=noaccess
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
[Install]
WantedBy=multi-user.target
|