diff options
| author | uvok cheetah | 2025-02-09 17:57:14 +0100 |
|---|---|---|
| committer | uvok cheetah | 2025-02-09 17:57:14 +0100 |
| commit | a3ee42d1dde090c5baad512ff8707f7e2c068433 (patch) | |
| tree | a619ef2f51c548a235b188cac19c7cf337686424 /roles/linux-ns/files/systemd/dn42_pdns.service | |
| parent | bb989a2148686d1eb4f49b5aa2597c5162436196 (diff) | |
Diffstat (limited to 'roles/linux-ns/files/systemd/dn42_pdns.service')
| -rw-r--r-- | roles/linux-ns/files/systemd/dn42_pdns.service | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/roles/linux-ns/files/systemd/dn42_pdns.service b/roles/linux-ns/files/systemd/dn42_pdns.service deleted file mode 100644 index 45cc367..0000000 --- a/roles/linux-ns/files/systemd/dn42_pdns.service +++ /dev/null @@ -1,55 +0,0 @@ -[Unit] -Description=PowerDNS Authoritative Server dn42 -Documentation=man:pdns_server(1) man:pdns_control(1) -Documentation=https://doc.powerdns.com -Wants=network-online.target -After=network-online.target time-sync.target -After=dn42_namespace.service -Requires=dn42_namespace.service - -[Service] -ExecStart=/usr/sbin/pdns_server --config-name=dn42 --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no -SyslogIdentifier=pdns_server-dn42 -User=pdns -Group=pdns -Type=notify -Restart=on-failure -RestartSec=1 -StartLimitInterval=0 -RuntimeDirectory=pdns-dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf - -# Sandboxing -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN -AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN -LockPersonality=true -NoNewPrivileges=true -PrivateDevices=true -PrivateTmp=true -# Setting PrivateUsers=true prevents us from opening our sockets -ProtectClock=true -ProtectControlGroups=true -ProtectHome=true -ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelModules=true -ProtectKernelTunables=true -# ProtectSystem=full will disallow write access to /etc and /usr, possibly -# not being able to write slaved-zones into sqlite3 or zonefiles. -ProtectSystem=full -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=true -RestrictRealtime=true -RestrictSUIDSGID=true -SystemCallArchitectures=native -SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete -ProtectProc=invisible -PrivateIPC=true -RemoveIPC=true -DevicePolicy=closed -# Not enabled by default because it does not play well with LuaJIT -# MemoryDenyWriteExecute=true -NetworkNamespacePath=/run/netns/dn42 - -[Install] -WantedBy=multi-user.target |