Overview

File go-mmproxy.service of Package go-mmproxy

# This unit file is part of the go-mmproxy package
# Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreuter.net>

[Unit]
Description=MMProxy
After=network.target
Requisite=network.target

ConditionFileIsExecutable=/usr/bin/%N
ConditionFileIsExecutable=/usr/sbin/ip

[Service]
User=%N
Group=%N

EnvironmentFile=/etc/sysconfig/%N

ExecStartPost=+/usr/sbin/ip rule add from 127.0.0.1/8 iif lo table $TABLE
ExecStartPost=+/usr/sbin/ip route add local 0.0.0.0/0 dev lo table $TABLE
ExecStartPost=+/usr/sbin/ip -6 rule add from ::1/128 iif lo table $TABLE
ExecStartPost=+/usr/sbin/ip -6 route add local ::/0 dev lo table $TABLE

ExecStart=/usr/bin/%N $ARGS

ExecStopPost=+/usr/sbin/ip rule del from 127.0.0.1/8 iif lo table $TABLE
ExecStopPost=+/usr/sbin/ip route del local 0.0.0.0/0 dev lo table $TABLE
ExecStopPost=+/usr/sbin/ip -6 rule del from ::1/128 iif lo table $TABLE
ExecStopPost=+/usr/sbin/ip -6 route del local ::/0 dev lo table $TABLE

LimitNOFILE=65535

AmbientCapabilities=CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_ADMIN

KeyringMode=private
LockPersonality=yes
MemoryDenyWriteExecute=yes
MountFlags=private
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@basic-io @file-system @io-event @ipc @network-io @process @signal madvise setrlimit splice

Restart=on-failure
RestartSec=10s
StartLimitBurst=3

[Install]
WantedBy=multi-user.target
openSUSE Build Service is sponsored by
Places