1 files changed, 55 insertions, 0 deletions

diff --git a/roles/linux_ns/files/systemd/dn42_pdns.service b/roles/linux_ns/files/systemd/dn42_pdns.service
new file mode 100644
index 0000000..45cc367
--- /dev/null
+++ b/roles/linux_ns/files/systemd/dn42_pdns.service
@@ -0,0 +1,55 @@
+[Unit]
+Description=PowerDNS Authoritative Server dn42
+Documentation=man:pdns_server(1) man:pdns_control(1)
+Documentation=https://doc.powerdns.com
+Wants=network-online.target
+After=network-online.target time-sync.target
+After=dn42_namespace.service
+Requires=dn42_namespace.service
+
+[Service]
+ExecStart=/usr/sbin/pdns_server --config-name=dn42 --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
+SyslogIdentifier=pdns_server-dn42
+User=pdns
+Group=pdns
+Type=notify
+Restart=on-failure
+RestartSec=1
+StartLimitInterval=0
+RuntimeDirectory=pdns-dn42
+BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf
+
+# Sandboxing
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
+LockPersonality=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+# Setting PrivateUsers=true prevents us from opening our sockets
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+# ProtectSystem=full will disallow write access to /etc and /usr, possibly
+# not being able to write slaved-zones into sqlite3 or zonefiles.
+ProtectSystem=full
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
+ProtectProc=invisible
+PrivateIPC=true
+RemoveIPC=true
+DevicePolicy=closed
+# Not enabled by default because it does not play well with LuaJIT
+# MemoryDenyWriteExecute=true
+NetworkNamespacePath=/run/netns/dn42
+
+[Install]
+WantedBy=multi-user.target