Update service files

restrictions
author: uvok cheetah 2025-02-09 14:01:10 +0100
committer: uvok cheetah 2025-02-09 14:01:10 +0100
commit: 51b69224c7e4bf3819dcb260f59e684c3b297cc9 (patch)
tree: 1b3d21528be79b36f03cb469b93969a56f8a2964 /roles/linux-ns/files/systemd/dn42_wg@.service
parent: a2ec10dbd30a17d2ede8ae8897d9245d748c0b3f (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/roles/linux-ns/files/systemd/dn42_wg@.service b/roles/linux-ns/files/systemd/dn42_wg@.service
index 16a1ba6..0f67fda 100644
--- a/roles/linux-ns/files/systemd/dn42_wg@.service
+++ b/roles/linux-ns/files/systemd/dn42_wg@.service
@@ -1,5 +1,3 @@
-# wireguard tunnels inside the namespace
-
 [Unit]
 Description=WireGuard via wg-quick(8) for %I
 PartOf=wg-quick.target
@@ -22,6 +20,9 @@ Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
 NetworkNamespacePath=/run/netns/dn42
 BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
 ProtectSystem=strict
+PrivateTmp=true
+PrivateDevices=true
+PrivateIPC=true
 
 [Install]
 WantedBy=multi-user.target
author	uvok cheetah	2025-02-09 14:01:10 +0100
committer	uvok cheetah	2025-02-09 14:01:10 +0100
commit	51b69224c7e4bf3819dcb260f59e684c3b297cc9 (patch)
tree	1b3d21528be79b36f03cb469b93969a56f8a2964 /roles/linux-ns/files/systemd/dn42_wg@.service
parent	a2ec10dbd30a17d2ede8ae8897d9245d748c0b3f (diff)