diff options
| author | uvok cheetah | 2025-02-02 15:21:26 +0100 | 
|---|---|---|
| committer | uvok cheetah | 2025-02-02 15:21:26 +0100 | 
| commit | 526797b41c8dfffc7e74a951c17ef96734980e7a (patch) | |
| tree | 84e562022de12f2cedc089ae8d0cbfdc02c595e9 /roles/linux-ns/files/systemd/dn42_pdns.service | |
| parent | 0ee94b306e667225b64804f169f15a961e966511 (diff) | |
Add role for Dn42 and network namespace
Diffstat (limited to 'roles/linux-ns/files/systemd/dn42_pdns.service')
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_pdns.service | 56 | 
1 files changed, 56 insertions, 0 deletions
| diff --git a/roles/linux-ns/files/systemd/dn42_pdns.service b/roles/linux-ns/files/systemd/dn42_pdns.service new file mode 100644 index 0000000..86c61d1 --- /dev/null +++ b/roles/linux-ns/files/systemd/dn42_pdns.service @@ -0,0 +1,56 @@ +# powerdns in namespace + +[Unit] +Description=PowerDNS Authoritative Server dn42 +Documentation=man:pdns_server(1) man:pdns_control(1) +Documentation=https://doc.powerdns.com +Wants=network-online.target +After=network-online.target time-sync.target +After=dn42_namespace.service +Requires=dn42_namespace.service + +[Service] +ExecStart=/usr/sbin/pdns_server --config-name=dn42 --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no +SyslogIdentifier=pdns_server-dn42 +User=pdns +Group=pdns +Type=notify +Restart=on-failure +RestartSec=1 +StartLimitInterval=0 +RuntimeDirectory=pdns-dn42 + +# Sandboxing +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN +LockPersonality=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +# Setting PrivateUsers=true prevents us from opening our sockets +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +# ProtectSystem=full will disallow write access to /etc and /usr, possibly +# not being able to write slaved-zones into sqlite3 or zonefiles. +ProtectSystem=full +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete +ProtectProc=invisible +PrivateIPC=true +RemoveIPC=true +DevicePolicy=closed +# Not enabled by default because it does not play well with LuaJIT +# MemoryDenyWriteExecute=true +NetworkNamespacePath=/run/netns/dn42 + +[Install] +WantedBy=multi-user.target | 
