File dnsdist-blocklist-update.service of Package dnsdist-hardened
[Unit]
Description=Update dnsdist blocklist
AssertFileNotEmpty=/etc/credstore/dnsdist/config.yml
AssertFileNotEmpty=/etc/dnsdist/blocklists.toml
Requisite=dnsdist.service
After=dnsdist.service
[Service]
User=dnsdist
Group=dnsdist
DynamicUser=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateUsers=true
ProtectClock=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
RestrictNamespaces=true
ProtectHostname=true
LockPersonality=true
ProtectKernelTunables=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictRealtime=true
ProtectHome=true
ProtectProc=invisible
ProcSubset=pid
SystemCallFilter=@system-service
SystemCallFilter=~@resources @privileged
SystemCallFilter=bpf
UMask=0066
ConfigurationDirectory=dnsdist
StateDirectory=dnsdist
SyslogIdentifier=dnsdist-blocklist-update
LoadCredential=config.yml:/etc/credstore/dnsdist/config.yml
ExecStart=/usr/bin/dnsdist-blocklist-update.py