54 lines
1.6 KiB
SYSTEMD
54 lines
1.6 KiB
SYSTEMD
[Unit]
|
|
Description=DNSCrypt-proxy client
|
|
Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki
|
|
|
|
## Use systemd sockets. Disable on TCP_NODELAY fail. Then define ip address in dnscrypt-proxy.toml.
|
|
Requires=dnscrypt-proxy.socket
|
|
|
|
## Start service after the network is online.
|
|
## Requires a wait service such as NetworkManager or systemd-networkd.
|
|
## Verify using:
|
|
## systemctl is-enabled NetworkManager-wait-online.service systemd-networkd-wait-online.service
|
|
## Then enable:
|
|
## systemctl enable NetworkManager-wait-online.service
|
|
## Or alternatively:
|
|
## systemctl enable systemd-networkd-wait-online.service
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
## DNSCrypt-proxy provides and requires name resolution.
|
|
Before=nss-lookup.target
|
|
Wants=nss-lookup.target
|
|
|
|
[Service]
|
|
## Set O_NONBLOCK flag for socket unit.
|
|
NonBlocking=true
|
|
|
|
## Execute dnscrypt-proxy with configuration file.
|
|
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
|
|
|
|
## Make /home, /root and /run/user read only.
|
|
ProtectHome=yes
|
|
|
|
## Make Linux control groups read only.
|
|
ProtectControlGroups=yes
|
|
|
|
## Deny explicit module loading.
|
|
ProtectKernelModules=yes
|
|
|
|
## Run dnscrypt-proxy as unprivileged user with
|
|
## temporary assigned UID/GID. See man:systemd.exec
|
|
## for more info. Requires systemd 232+.
|
|
DynamicUser=yes
|
|
CacheDirectory=dnscrypt-proxy
|
|
LogsDirectory=dnscrypt-proxy
|
|
RuntimeDirectory=dnscrypt-proxy
|
|
|
|
[Install]
|
|
## Install socket unit.
|
|
Also=dnscrypt-proxy.socket
|
|
|
|
## Create symlink for systemd to pull in the unit when starting multi-user.target
|
|
## Can be found in /etc/systemd/system/multi-user.target.wants/
|
|
WantedBy=multi-user.target
|