summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--roles/linux-ns/files/systemd/dn42_bird-lg.service9
-rw-r--r--roles/linux-ns/files/systemd/dn42_bird-lgproxy.service9
-rw-r--r--roles/linux-ns/files/systemd/dn42_bird.service2
-rw-r--r--roles/linux-ns/files/systemd/dn42_nginx.service37
-rw-r--r--roles/linux-ns/files/systemd/dn42_pdns.service3
-rw-r--r--roles/linux-ns/files/systemd/dn42_tinc@.service7
-rw-r--r--roles/linux-ns/files/systemd/dn42_wg@.service5
-rw-r--r--roles/linux-ns/files/systemd/my-netns@.service2
8 files changed, 58 insertions, 16 deletions
diff --git a/roles/linux-ns/files/systemd/dn42_bird-lg.service b/roles/linux-ns/files/systemd/dn42_bird-lg.service
index 9ea081c..85c5358 100644
--- a/roles/linux-ns/files/systemd/dn42_bird-lg.service
+++ b/roles/linux-ns/files/systemd/dn42_bird-lg.service
@@ -1,7 +1,5 @@
-# bird-lg service for DN42
-
[Unit]
-Description=Run Bird Looking Glass - DN42
+Description=Run Bird Looking Glass - DN42 edition
Requires=network-online.target
After=network-online.target
After=dn42_namespace.service
@@ -9,11 +7,16 @@ Requires=dn42_namespace.service
[Service]
ExecStart=/bin/bash /home/lgproxy/lgstart.sh
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
User=lgproxy
WorkingDirectory=/home/lgproxy/
Environment="LG_PORT=6142"
Environment="LG_CONFIG_FILE=/home/lgproxy/lg/lg-dn42.cfg"
NetworkNamespacePath=/run/netns/dn42
+Type=exec
+PrivateTmp=true
+PrivateDevices=true
+PrivateIPC=true
[Install]
WantedBy=default.target
diff --git a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service b/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service
index cc48ffb..273ab16 100644
--- a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service
+++ b/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service
@@ -1,19 +1,22 @@
-# bird-lgproxy service for DN42
-
[Unit]
Description=Run Bird Looking Glass Proxy
-Requires=network-online.target bird.service
+Requires=network-online.target dn42_bird.service
After=network-online.target dn42_bird.service
After=dn42_namespace.service
Requires=dn42_namespace.service
[Service]
ExecStart=/bin/bash /home/lgproxy/start.sh
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
User=lgproxy
WorkingDirectory=/home/lgproxy/
Environment="LGPROXY_PORT=6042"
Environment="LGPROXY_CONFIG_FILE=/home/lgproxy/lgp/lgproxy-dn42.cfg"
NetworkNamespacePath=/run/netns/dn42
+Type=exec
+PrivateTmp=true
+PrivateDevices=true
+PrivateIPC=true
[Install]
WantedBy=default.target
diff --git a/roles/linux-ns/files/systemd/dn42_bird.service b/roles/linux-ns/files/systemd/dn42_bird.service
index a4e74fd..cbf80f0 100644
--- a/roles/linux-ns/files/systemd/dn42_bird.service
+++ b/roles/linux-ns/files/systemd/dn42_bird.service
@@ -1,5 +1,3 @@
-# bird service for dn42
-
[Unit]
Description=BIRD Internet Routing Daemon - DN42 daemon
After=network.target
diff --git a/roles/linux-ns/files/systemd/dn42_nginx.service b/roles/linux-ns/files/systemd/dn42_nginx.service
new file mode 100644
index 0000000..43d8a67
--- /dev/null
+++ b/roles/linux-ns/files/systemd/dn42_nginx.service
@@ -0,0 +1,37 @@
+# Stop dance for nginx
+# =======================
+#
+# ExecStop sends SIGQUIT (graceful stop) to the nginx process.
+# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
+# and sends SIGTERM (fast shutdown) to the main process.
+# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
+# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
+#
+# nginx signals reference doc:
+# http://nginx.org/en/docs/control.html
+#
+[Unit]
+Description=A high performance web server and a reverse proxy server
+Documentation=man:nginx(8)
+After=network-online.target remote-fs.target nss-lookup.target
+Wants=network-online.target
+After=dn42_namespace.service
+Requires=dn42_namespace.service
+
+[Service]
+Type=forking
+PIDFile=/run/dn42_nginx.pid
+ExecStartPre=/usr/sbin/nginx -t -q -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;'
+ExecStart=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;'
+ExecReload=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -s reload
+ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/dn42_nginx.pid
+TimeoutStopSec=5
+KillMode=mixed
+NetworkNamespacePath=/run/netns/dn42
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
+PrivateTmp=true
+PrivateDevices=true
+PrivateIPC=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/linux-ns/files/systemd/dn42_pdns.service b/roles/linux-ns/files/systemd/dn42_pdns.service
index 86c61d1..45cc367 100644
--- a/roles/linux-ns/files/systemd/dn42_pdns.service
+++ b/roles/linux-ns/files/systemd/dn42_pdns.service
@@ -1,5 +1,3 @@
-# powerdns in namespace
-
[Unit]
Description=PowerDNS Authoritative Server dn42
Documentation=man:pdns_server(1) man:pdns_control(1)
@@ -19,6 +17,7 @@ Restart=on-failure
RestartSec=1
StartLimitInterval=0
RuntimeDirectory=pdns-dn42
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
# Sandboxing
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
diff --git a/roles/linux-ns/files/systemd/dn42_tinc@.service b/roles/linux-ns/files/systemd/dn42_tinc@.service
index 8949467..bf17815 100644
--- a/roles/linux-ns/files/systemd/dn42_tinc@.service
+++ b/roles/linux-ns/files/systemd/dn42_tinc@.service
@@ -1,5 +1,3 @@
-# tinc inside dn42 namespace
-
[Unit]
Description=Tinc net %i in namespace dn42
Documentation=info:tinc
@@ -24,5 +22,10 @@ BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
ProtectSystem=strict
RuntimeDirectory=./tinc/dn42/
+PrivateTmp=true
+#tun
+#PrivateDevices=true
+PrivateIPC=true
+
#[Install]
#WantedBy=tinc.service
diff --git a/roles/linux-ns/files/systemd/dn42_wg@.service b/roles/linux-ns/files/systemd/dn42_wg@.service
index 16a1ba6..0f67fda 100644
--- a/roles/linux-ns/files/systemd/dn42_wg@.service
+++ b/roles/linux-ns/files/systemd/dn42_wg@.service
@@ -1,5 +1,3 @@
-# wireguard tunnels inside the namespace
-
[Unit]
Description=WireGuard via wg-quick(8) for %I
PartOf=wg-quick.target
@@ -22,6 +20,9 @@ Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
NetworkNamespacePath=/run/netns/dn42
BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
ProtectSystem=strict
+PrivateTmp=true
+PrivateDevices=true
+PrivateIPC=true
[Install]
WantedBy=multi-user.target
diff --git a/roles/linux-ns/files/systemd/my-netns@.service b/roles/linux-ns/files/systemd/my-netns@.service
index 7368028..c9735b7 100644
--- a/roles/linux-ns/files/systemd/my-netns@.service
+++ b/roles/linux-ns/files/systemd/my-netns@.service
@@ -1,5 +1,3 @@
-# actual setup of the minimal namespace
-
[Unit]
Description=Named network namespace %I
Documentation=https://github.com/Jamesits/systemd-named-netns
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-22 21:10:21 +0000