diff options
Diffstat (limited to 'net-vpn/cloudflared/files/cloudflared.service')
| -rw-r--r-- | net-vpn/cloudflared/files/cloudflared.service | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/net-vpn/cloudflared/files/cloudflared.service b/net-vpn/cloudflared/files/cloudflared.service new file mode 100644 index 0000000..08dc895 --- /dev/null +++ b/net-vpn/cloudflared/files/cloudflared.service @@ -0,0 +1,56 @@ +[Unit] +Description=Argo Tunnel client daemon for Cloudflared +After=network.target +Wants=network.target + +[Service] +Type=notify +ExecStart=/usr/bin/cloudflared --config /etc/cloudflared/config.yml --no-autoupdate +User=cloudflared +Group=cloudflared +Restart=on-failure +RestartSec=5s +TimeoutStartSec=0 + +# Allow cloudflared access to logfile +ReadWritePaths=/var/log/cloudflared.log + +# Allow cloudflared to bind ports in the range of 0-1024 and restrict it to +# that capability +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE + +# If cloudflared is run at ports >1024, you should apply these options via a +# drop-in file +#CapabilityBoundingSet= +#AmbientCapabilities= +#PrivateUsers=yes + +NoNewPrivileges=true +LimitNOFILE=1048576 +UMask=0077 + +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true + +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target |