blob: b0e17e362ee7dbf7d2c9346031489254de74ece3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
[Unit]
Description = Netbird Service (%i)
Documentation = https://netbird.io/docs
After = network-online.target syslog.target
Wants = network-online.target
[Service]
Type = simple
EnvironmentFile = -/etc/default/netbird
ExecStartPre = +-/usr/bin/chown netbird:netbird -R /etc/netbird
ExecStart = /usr/bin/netbird service run --config /etc/netbird/%i.json --log-file console $NETBIRD_CLIENT_ARGS
Restart = on-failure
RestartSec = 5
TimeoutStopSec = 10
User = netbird
RuntimeDirectory = netbird
ConfigurationDirectory = netbird
AmbientCapabilities = CAP_NET_ADMIN CAP_SYS_MODULE
CapabilityBoundingSet = CAP_NET_ADMIN CAP_SYS_MODULE
DevicePolicy = closed
LockPersonality = yes
MemoryDenyWriteExecute = yes
NoNewPrivileges = yes
PrivateDevices = yes
PrivateMounts = yes
PrivateTmp = yes
ProtectClock = yes
ProtectControlGroups = yes
ProtectHome = yes
ProtectHostname = yes
ProtectKernelLogs = yes
ProtectKernelModules = no
ProtectKernelTunables = no
ProtectSystem = strict
RemoveIPC = yes
RestrictAddressFamilies = AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces = yes
RestrictRealtime = yes
RestrictSUIDSGID = yes
SystemCallArchitectures = native
SystemCallFilter = ~@clock @cpu-emulation @privileged @module @raw-io @reboot @mount @obsolete @debug @swap
[Install]
WantedBy = multi-user.target
|