contrib/unbound/contrib/unbound.service.in

   1 [Unit]
   2 Description=Validating, recursive, and caching DNS resolver
   3 Documentation=man:unbound(8)
   4 After=network.target
   5 Before=network-online.target nss-lookup.target
   6 Wants=nss-lookup.target
   7
   8 [Install]
   9 WantedBy=multi-user.target
  10
  11 [Service]
  12 ExecReload=/bin/kill -HUP $MAINPID
  13 ExecStart=@UNBOUND_SBIN_DIR@/unbound
  14 NotifyAccess=main
  15 Type=notify
  16 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE
  17 MemoryDenyWriteExecute=true
  18 NoNewPrivileges=true
  19 PrivateDevices=true
  20 PrivateTmp=true
  21 ProtectHome=true
  22 ProtectControlGroups=true
  23 ProtectKernelModules=true
  24 ProtectKernelTunables=true
  25 ProtectSystem=strict
  26 ReadWritePaths=@UNBOUND_SYSCONF_DIR@ @UNBOUND_LOCALSTATE_DIR@ /run @UNBOUND_RUN_DIR@
  27 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
  28 RestrictRealtime=true
  29 SystemCallArchitectures=native
  30 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
  31