blob: 3b85ec53abffe060183b8bfbdba2285023d66df8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
[Unit]
Description = Ladder server
Documentation = https://github.com/everywall/ladder
After = network-online.target
Wants = network-online.target
[Service]
Type = simple
EnvironmentFile = -/etc/default/ladder
ExecStart = /usr/bin/ladder --ruleset /etc/ladder/ruleset.yaml
Restart = on-failure
RestartSec = 5
TimeoutStopSec = 10
User = ladder
DynamicUser = yes
# Bind to ports lower than 1024
AmbientCapabilities = CAP_NET_BIND_SERVICE
# Isolation
LockPersonality = yes
MemoryDenyWriteExecute = yes
NoNewPrivileges = yes
PrivateMounts = yes
PrivateTmp = yes
ProtectClock = yes
ProtectControlGroups = yes
ProtectHome = yes
ProtectHostname = yes
ProtectKernelLogs = yes
ProtectKernelModules = no
ProtectKernelTunables = no
ProtectSystem = strict
RemoveIPC = yes
RestrictNamespaces = yes
RestrictRealtime = yes
RestrictSUIDSGID = yes
[Install]
WantedBy = multi-user.target
|