Adding DynamicUser to systemd service file, enhancing socket and service (#261)
* Adding nss-lookup.target to the socket Before and Wants directive. Adding current upstream wiki as documentation to service and socket file.
Adding DynamicUser=yes to the service file, alongside various hardening settings (Protect{ControlGroups,KernelModules}. Allowing the service to bind to ports below 1024 by setting CAP_NET_BIND_SERVICE. Adding {Cache,Logs,Runtime}Directory for dnscrypt-proxy. Removing (default) Type=simple. Adding a more default ExecStart location and usage of configuration.
* systemd/dnscrypt-proxy.socket: Adding back ipv6 functionality.
* systemd/dnscrypt-proxy.service: Updating Description to match project name.
Explicitely setting ProtectHome=yes. Adding information on the DynamicUser settings.
* systemd/dnscrypt-proxy.socket: Updating description to match project name.
* systemd/dnscrypt-proxy.service: Adding Requires= and Also= for dnscrypt-proxy.socket in favor of CAP_NET_BIND_SERVICE capabilities.
* dnscrypt-proxy/example-dnscrypt-proxy.toml: Clarifying how to set listen_addresses, when using systemd socket activation.
This commit is contained in:
David Runge
Frank Denis
parent
3e4b7671d1
commit
fa2c95084e
|
|
@ -26,7 +26,7 @@
|
|||
|
||||
|
||||
## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
|
||||
## To only use systemd activation sockets, use an empty set: []
|
||||
## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
|
||||
|
||||
listen_addresses = ['127.0.0.1:53', '[::1]:53']
|
||||
|
||||
|
|
|
|||
|
|
@ -1,27 +1,26 @@
|
|||
[Unit]
|
||||
Description=DNSCrypt client proxy
|
||||
Documentation=man:dnscrypt-proxy(8)
|
||||
Description=DNSCrypt-proxy client
|
||||
Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki
|
||||
Requires=dnscrypt-proxy.socket
|
||||
After=network.target
|
||||
Before=nss-lookup.target
|
||||
Wants=nss-lookup.target
|
||||
|
||||
[Install]
|
||||
Also=dnscrypt-proxy.socket
|
||||
WantedBy=multi-user.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
NonBlocking=true
|
||||
ProtectHome=true
|
||||
|
||||
# Change this
|
||||
ExecStart=/opt/dnscrypt-proxy/dnscrypt-proxy
|
||||
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
|
||||
ProtectHome=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectKernelModules=yes
|
||||
|
||||
# Run dnscrypt-proxy as unprivileged user with
|
||||
# temporary assigned UID/GID. See man:systemd.exec
|
||||
# for more info. Requires systemd 232+.
|
||||
#DynamicUser=yes
|
||||
#CacheDirectory=dnscrypt-proxy
|
||||
#LogsDirectory=dnscrypt-proxy
|
||||
#RuntimeDirectory=dnscrypt-proxy
|
||||
DynamicUser=yes
|
||||
CacheDirectory=dnscrypt-proxy
|
||||
LogsDirectory=dnscrypt-proxy
|
||||
RuntimeDirectory=dnscrypt-proxy
|
||||
|
||||
[Install]
|
||||
Also=dnscrypt-proxy.socket
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
[Unit]
|
||||
Description=dnscrypt-proxy listening socket
|
||||
Description=DNSCrypt-proxy socket
|
||||
Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki
|
||||
Before=nss-lookup.target
|
||||
Wants=nss-lookup.target
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue