contrib/unbound/contrib/unbound_portable.service.in

   1 ; This unit file is provided to run unbound as portable service.
   2 ; https://systemd.io/PORTABLE_SERVICES/
   3 ;
   4 ; To use this unit file, please make sure you either compile unbound with the
   5 ; following options:
   6 ;
   7 ;  - --with-chroot-dir=""
   8 ;
   9 ; Or put the following options in your unbound configuration file:
  10 ;
  11 ;  - chroot: ""
  12 ;
  13 ;
  14 [Unit]
  15 Description=Validating, recursive, and caching DNS resolver
  16 Documentation=man:unbound(8)
  17 After=network.target
  18 Before=network-online.target nss-lookup.target
  19 Wants=nss-lookup.target
  20
  21 [Install]
  22 WantedBy=multi-user.target
  23
  24 [Service]
  25 ExecReload=+/bin/kill -HUP $MAINPID
  26 ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p
  27 NotifyAccess=main
  28 Type=notify
  29 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
  30 MemoryDenyWriteExecute=true
  31 NoNewPrivileges=true
  32 PrivateDevices=true
  33 PrivateTmp=true
  34 ProtectHome=true
  35 ProtectControlGroups=true
  36 ProtectKernelModules=true
  37 ProtectSystem=strict
  38 RuntimeDirectory=unbound
  39 ConfigurationDirectory=unbound
  40 StateDirectory=unbound
  41 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
  42 RestrictRealtime=true
  43 SystemCallArchitectures=native
  44 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
  45 RestrictNamespaces=yes
  46 LockPersonality=yes
  47 RestrictSUIDSGID=yes
  48 BindPaths=/run/systemd/notify
  49 BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout