diff options
| author | uvok cheetah | 2025-02-09 14:01:10 +0100 |
|---|---|---|
| committer | uvok cheetah | 2025-02-09 14:01:10 +0100 |
| commit | 51b69224c7e4bf3819dcb260f59e684c3b297cc9 (patch) | |
| tree | 1b3d21528be79b36f03cb469b93969a56f8a2964 | |
| parent | a2ec10dbd30a17d2ede8ae8897d9245d748c0b3f (diff) | |
Update service files
restrictions
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_bird-lg.service | 9 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_bird-lgproxy.service | 9 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_bird.service | 2 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_nginx.service | 37 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_pdns.service | 3 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_tinc@.service | 7 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_wg@.service | 5 | ||||
| -rw-r--r-- | roles/linux-ns/files/systemd/my-netns@.service | 2 |
8 files changed, 58 insertions, 16 deletions
diff --git a/roles/linux-ns/files/systemd/dn42_bird-lg.service b/roles/linux-ns/files/systemd/dn42_bird-lg.service index 9ea081c..85c5358 100644 --- a/roles/linux-ns/files/systemd/dn42_bird-lg.service +++ b/roles/linux-ns/files/systemd/dn42_bird-lg.service @@ -1,7 +1,5 @@ -# bird-lg service for DN42 - [Unit] -Description=Run Bird Looking Glass - DN42 +Description=Run Bird Looking Glass - DN42 edition Requires=network-online.target After=network-online.target After=dn42_namespace.service @@ -9,11 +7,16 @@ Requires=dn42_namespace.service [Service] ExecStart=/bin/bash /home/lgproxy/lgstart.sh +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf User=lgproxy WorkingDirectory=/home/lgproxy/ Environment="LG_PORT=6142" Environment="LG_CONFIG_FILE=/home/lgproxy/lg/lg-dn42.cfg" NetworkNamespacePath=/run/netns/dn42 +Type=exec +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true [Install] WantedBy=default.target diff --git a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service b/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service index cc48ffb..273ab16 100644 --- a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service +++ b/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service @@ -1,19 +1,22 @@ -# bird-lgproxy service for DN42 - [Unit] Description=Run Bird Looking Glass Proxy -Requires=network-online.target bird.service +Requires=network-online.target dn42_bird.service After=network-online.target dn42_bird.service After=dn42_namespace.service Requires=dn42_namespace.service [Service] ExecStart=/bin/bash /home/lgproxy/start.sh +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf User=lgproxy WorkingDirectory=/home/lgproxy/ Environment="LGPROXY_PORT=6042" Environment="LGPROXY_CONFIG_FILE=/home/lgproxy/lgp/lgproxy-dn42.cfg" NetworkNamespacePath=/run/netns/dn42 +Type=exec +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true [Install] WantedBy=default.target diff --git a/roles/linux-ns/files/systemd/dn42_bird.service b/roles/linux-ns/files/systemd/dn42_bird.service index a4e74fd..cbf80f0 100644 --- a/roles/linux-ns/files/systemd/dn42_bird.service +++ b/roles/linux-ns/files/systemd/dn42_bird.service @@ -1,5 +1,3 @@ -# bird service for dn42 - [Unit] Description=BIRD Internet Routing Daemon - DN42 daemon After=network.target diff --git a/roles/linux-ns/files/systemd/dn42_nginx.service b/roles/linux-ns/files/systemd/dn42_nginx.service new file mode 100644 index 0000000..43d8a67 --- /dev/null +++ b/roles/linux-ns/files/systemd/dn42_nginx.service @@ -0,0 +1,37 @@ +# Stop dance for nginx +# ======================= +# +# ExecStop sends SIGQUIT (graceful stop) to the nginx process. +# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control +# and sends SIGTERM (fast shutdown) to the main process. +# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends +# SIGKILL to all the remaining processes in the process group (KillMode=mixed). +# +# nginx signals reference doc: +# http://nginx.org/en/docs/control.html +# +[Unit] +Description=A high performance web server and a reverse proxy server +Documentation=man:nginx(8) +After=network-online.target remote-fs.target nss-lookup.target +Wants=network-online.target +After=dn42_namespace.service +Requires=dn42_namespace.service + +[Service] +Type=forking +PIDFile=/run/dn42_nginx.pid +ExecStartPre=/usr/sbin/nginx -t -q -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' +ExecStart=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' +ExecReload=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -s reload +ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/dn42_nginx.pid +TimeoutStopSec=5 +KillMode=mixed +NetworkNamespacePath=/run/netns/dn42 +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true + +[Install] +WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/dn42_pdns.service b/roles/linux-ns/files/systemd/dn42_pdns.service index 86c61d1..45cc367 100644 --- a/roles/linux-ns/files/systemd/dn42_pdns.service +++ b/roles/linux-ns/files/systemd/dn42_pdns.service @@ -1,5 +1,3 @@ -# powerdns in namespace - [Unit] Description=PowerDNS Authoritative Server dn42 Documentation=man:pdns_server(1) man:pdns_control(1) @@ -19,6 +17,7 @@ Restart=on-failure RestartSec=1 StartLimitInterval=0 RuntimeDirectory=pdns-dn42 +BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf # Sandboxing CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN diff --git a/roles/linux-ns/files/systemd/dn42_tinc@.service b/roles/linux-ns/files/systemd/dn42_tinc@.service index 8949467..bf17815 100644 --- a/roles/linux-ns/files/systemd/dn42_tinc@.service +++ b/roles/linux-ns/files/systemd/dn42_tinc@.service @@ -1,5 +1,3 @@ -# tinc inside dn42 namespace - [Unit] Description=Tinc net %i in namespace dn42 Documentation=info:tinc @@ -24,5 +22,10 @@ BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf ProtectSystem=strict RuntimeDirectory=./tinc/dn42/ +PrivateTmp=true +#tun +#PrivateDevices=true +PrivateIPC=true + #[Install] #WantedBy=tinc.service diff --git a/roles/linux-ns/files/systemd/dn42_wg@.service b/roles/linux-ns/files/systemd/dn42_wg@.service index 16a1ba6..0f67fda 100644 --- a/roles/linux-ns/files/systemd/dn42_wg@.service +++ b/roles/linux-ns/files/systemd/dn42_wg@.service @@ -1,5 +1,3 @@ -# wireguard tunnels inside the namespace - [Unit] Description=WireGuard via wg-quick(8) for %I PartOf=wg-quick.target @@ -22,6 +20,9 @@ Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity NetworkNamespacePath=/run/netns/dn42 BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf ProtectSystem=strict +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true [Install] WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/my-netns@.service b/roles/linux-ns/files/systemd/my-netns@.service index 7368028..c9735b7 100644 --- a/roles/linux-ns/files/systemd/my-netns@.service +++ b/roles/linux-ns/files/systemd/my-netns@.service @@ -1,5 +1,3 @@ -# actual setup of the minimal namespace - [Unit] Description=Named network namespace %I Documentation=https://github.com/Jamesits/systemd-named-netns |