init.d: systemd unit examples for tpws and nfqws

3 weeks ago · 7934125c09
2 changed files with 89 additions and 12 deletions
--- a/init.d/systemd/[email
+++ b/init.d/systemd/[email
@ -0,0 +1,65 @@
+# Example systemd service unit for nfqws. Adjust for your installation.
+
+# WARNING ! This unit requires to compile nfqws using `make systemd`
+# WARNING ! This makefile target enabled special systemd notify support.
+
+# PREPARE
+# install build depends
+# make -C /opt/zapret systemd
+# cp nfqws@service /lib/systemd/system
+
+# MANAGE INSTANCE
+# prepare /etc/zapret/nfqws1.conf with nfqws parameters
+# systemctl daemon-reload
+# systemctl start nfqws@nfqws1
+# systemctl status nfqws@nfqws1
+# systemctl restart nfqws@nfqws1
+# systemctl enable nfqws@nfqws1
+# systemctl disable nfqws@nfqws1
+# systemctl stop nfqws@nfqws1
+
+# DELETE
+# rm /lib/systemd/system/[email protected]
+# systemctl daemon-reload
+
+
+[Unit]
+After=network.target
+
+[Service]
+Type=notify
+Restart=on-failure
+
+ExecSearchPath=/opt/zapret/binaries/my
+ExecStart=nfqws @${CONFIG_DIR}/${INSTANCE}.conf
+Environment=CONFIG_DIR=/etc/zapret
+Environment=INSTANCE=%i
+
+RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target
--- a/init.d/systemd/nfqws.service
+++ b/init.d/systemd/nfqws.service
@ -3,6 +3,26 @@
 # WARNING ! This unit requires to compile nfqws using `make systemd`
 # WARNING ! This makefile target enabled special systemd notify support.

+# PREPARE
+# install build depends
+# make -C /opt/zapret systemd
+# cp tpws@service /lib/systemd/system
+
+# MANAGE INSTANCE
+# prepare /etc/zapret/tpws1.conf with tpws parameters
+# systemctl daemon-reload
+# systemctl start tpws@tpws1
+# systemctl status tpws@tpws1
+# systemctl restart tpws@tpws1
+# systemctl enable tpws@tpws1
+# systemctl disable tpws@tpws1
+# systemctl stop tpws@tpws1
+
+# DELETE
+# rm /lib/systemd/system/[email protected]
+# systemctl daemon-reload
+
+
 [Unit]
 After=network.target

@ -11,16 +31,10 @@ Type=notify
 Restart=on-failure

 ExecSearchPath=/opt/zapret/binaries/my
-ExecStart=nfqws @${CONFIG_FILE}
-Environment=CONFIG_FILE=/etc/zapret/nfqws.config
-
-StateDirectory=nfqws
-StateDirectoryMode=0700
-WorkingDirectory=%S/nfqws
+ExecStart=tpws @${CONFIG_DIR}/${INSTANCE}.conf
+Environment=CONFIG_DIR=/etc/zapret
+Environment=INSTANCE=%i

-DynamicUser=true
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
 RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET

 LockPersonality=true
@ -35,16 +49,14 @@ ProtectHome=true
 ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
-ProtectKernelTunables=true
 ProtectProc=invisible
-ProtectSystem=strict
+ProtectSystem=full
 RemoveIPC=true
 RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
-SystemCallFilter=~@resources @privileged
 UMask=0077

 [Install]