Adding DynamicUser to systemd service file, enhancing socket and service (#261)
* Adding nss-lookup.target to the socket Before and Wants directive. Adding current upstream wiki as documentation to service and socket file. Adding DynamicUser=yes to the service file, alongside various hardening settings (Protect{ControlGroups,KernelModules}. Allowing the service to bind to ports below 1024 by setting CAP_NET_BIND_SERVICE. Adding {Cache,Logs,Runtime}Directory for dnscrypt-proxy. Removing (default) Type=simple. Adding a more default ExecStart location and usage of configuration. * systemd/dnscrypt-proxy.socket: Adding back ipv6 functionality. * systemd/dnscrypt-proxy.service: Updating Description to match project name. Explicitely setting ProtectHome=yes. Adding information on the DynamicUser settings. * systemd/dnscrypt-proxy.socket: Updating description to match project name. * systemd/dnscrypt-proxy.service: Adding Requires= and Also= for dnscrypt-proxy.socket in favor of CAP_NET_BIND_SERVICE capabilities. * dnscrypt-proxy/example-dnscrypt-proxy.toml: Clarifying how to set listen_addresses, when using systemd socket activation.
This commit is contained in:
parent
3e4b7671d1
commit
fa2c95084e
|
@ -26,7 +26,7 @@
|
||||||
|
|
||||||
|
|
||||||
## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
|
## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
|
||||||
## To only use systemd activation sockets, use an empty set: []
|
## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
|
||||||
|
|
||||||
listen_addresses = ['127.0.0.1:53', '[::1]:53']
|
listen_addresses = ['127.0.0.1:53', '[::1]:53']
|
||||||
|
|
||||||
|
|
|
@ -1,27 +1,26 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=DNSCrypt client proxy
|
Description=DNSCrypt-proxy client
|
||||||
Documentation=man:dnscrypt-proxy(8)
|
Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki
|
||||||
Requires=dnscrypt-proxy.socket
|
Requires=dnscrypt-proxy.socket
|
||||||
After=network.target
|
After=network.target
|
||||||
Before=nss-lookup.target
|
Before=nss-lookup.target
|
||||||
Wants=nss-lookup.target
|
Wants=nss-lookup.target
|
||||||
|
|
||||||
[Install]
|
|
||||||
Also=dnscrypt-proxy.socket
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
|
||||||
NonBlocking=true
|
NonBlocking=true
|
||||||
ProtectHome=true
|
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
|
||||||
|
ProtectHome=yes
|
||||||
# Change this
|
ProtectControlGroups=yes
|
||||||
ExecStart=/opt/dnscrypt-proxy/dnscrypt-proxy
|
ProtectKernelModules=yes
|
||||||
|
|
||||||
# Run dnscrypt-proxy as unprivileged user with
|
# Run dnscrypt-proxy as unprivileged user with
|
||||||
# temporary assigned UID/GID. See man:systemd.exec
|
# temporary assigned UID/GID. See man:systemd.exec
|
||||||
# for more info. Requires systemd 232+.
|
# for more info. Requires systemd 232+.
|
||||||
#DynamicUser=yes
|
DynamicUser=yes
|
||||||
#CacheDirectory=dnscrypt-proxy
|
CacheDirectory=dnscrypt-proxy
|
||||||
#LogsDirectory=dnscrypt-proxy
|
LogsDirectory=dnscrypt-proxy
|
||||||
#RuntimeDirectory=dnscrypt-proxy
|
RuntimeDirectory=dnscrypt-proxy
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
Also=dnscrypt-proxy.socket
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=dnscrypt-proxy listening socket
|
Description=DNSCrypt-proxy socket
|
||||||
|
Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki
|
||||||
Before=nss-lookup.target
|
Before=nss-lookup.target
|
||||||
Wants=nss-lookup.target
|
Wants=nss-lookup.target
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue