2022-08-26 02:52:21 +02:00
|
|
|
[Unit]
|
|
|
|
|
Description=CoreDNS server
|
|
|
|
|
Documentation=https://coredns.io
|
|
|
|
|
After=network.target
|
2023-10-05 14:53:36 +02:00
|
|
|
Wants=dnscrypt-proxy.service
|
|
|
|
|
Upholds=dnscrypt-proxy.service
|
2022-08-26 02:52:21 +02:00
|
|
|
|
|
|
|
|
[Service]
|
|
|
|
|
PermissionsStartOnly=true
|
|
|
|
|
LimitNOFILE=1048576
|
|
|
|
|
LimitNPROC=512
|
|
|
|
|
CapabilityBoundingSet=
|
|
|
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
|
|
|
AmbientCapabilities=
|
|
|
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
|
|
|
User=coredns
|
|
|
|
|
|
|
|
|
|
ExecStart=/usr/local/bin/coredns -conf=/etc/coredns/Corefile
|
|
|
|
|
ExecReload=/bin/kill -SIGUSR1 $MAINPID
|
|
|
|
|
Restart=on-failure
|
|
|
|
|
RestartSec=5
|
|
|
|
|
|
|
|
|
|
WorkingDirectory=/var/lib/coredns
|
|
|
|
|
CacheDirectory=coredns
|
|
|
|
|
RuntimeDirectory=coredns
|
|
|
|
|
|
|
|
|
|
PrivateTmp=true
|
|
|
|
|
PrivateDevices=true
|
|
|
|
|
ProtectSystem=strict
|
|
|
|
|
ProtectHome=true
|
|
|
|
|
ProtectHostname=true
|
|
|
|
|
ProtectClock=true
|
|
|
|
|
ProtectProc=invisible
|
|
|
|
|
ProcSubset=pid
|
|
|
|
|
|
|
|
|
|
RemoveIPC=true
|
|
|
|
|
|
|
|
|
|
SystemCallFilter=~memfd_create @reboot @swap @mount @resources @privileged @cpu-emulation @debug @module @clock @raw-io @obsolete
|
|
|
|
|
|
|
|
|
|
NoNewPrivileges=true
|
|
|
|
|
LockPersonality=true
|
|
|
|
|
DeviceAllow=
|
|
|
|
|
MemoryDenyWriteExecute=true
|
|
|
|
|
|
|
|
|
|
ProtectKernelTunables=true
|
|
|
|
|
ProtectKernelLogs=true
|
|
|
|
|
ProtectControlGroups=true
|
|
|
|
|
ProtectKernelModules=true
|
|
|
|
|
|
|
|
|
|
RestrictNamespaces=true
|
|
|
|
|
RestrictSUIDSGID=true
|
|
|
|
|
RestrictRealtime=true
|
|
|
|
|
RestrictAddressFamilies=AF_INET AF_INET6
|
|
|
|
|
|
|
|
|
|
SystemCallArchitectures=native
|
|
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
|
WantedBy=multi-user.target
|
