mirror of https://github.com/pi-hole/pi-hole
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
76 lines
2.7 KiB
76 lines
2.7 KiB
[Unit]
|
|
Description=Pi-hole FTL
|
|
# This unit is supposed to indicate when network functionality is available, but it is only
|
|
# very weakly defined what that is supposed to mean, with one exception: at shutdown, a unit
|
|
# that is ordered after network-online.target will be stopped before the network
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
# A target that should be used as synchronization point for all host/network name service lookups.
|
|
# All services for which the availability of full host/network name resolution is essential should
|
|
# be ordered after this target, but not pull it in.
|
|
Wants=nss-lookup.target
|
|
Before=nss-lookup.target
|
|
|
|
# Limit (re)start loop to 5 within 1 minute
|
|
StartLimitBurst=5
|
|
StartLimitIntervalSec=60s
|
|
|
|
[Service]
|
|
User=pihole
|
|
PermissionsStartOnly=true
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN
|
|
# Prevents the pihole-FTL process from acquiring more capabilities then the following
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_NICE CAP_IPC_LOCK CAP_CHOWN
|
|
|
|
ExecStartPre=/opt/pihole/pihole-FTL-prestart.sh
|
|
ExecStart=/usr/bin/pihole-FTL -f
|
|
Restart=on-failure
|
|
RestartSec=5s
|
|
ExecReload=/bin/kill -HUP $MAINPID
|
|
ExecStopPost=/opt/pihole/pihole-FTL-poststop.sh
|
|
|
|
# Use graceful shutdown with a reasonable timeout
|
|
TimeoutStopSec=10s
|
|
|
|
# Let the pihole-FTL process see a read-only view of /opt/pihole when TemporaryFileSystem= is
|
|
# hiding the content of /opt
|
|
BindReadOnlyPaths=/opt/pihole
|
|
# Gives access to /etc/pihole
|
|
ConfigurationDirectory=pihole
|
|
LockPersonality=true
|
|
# Gives access to /var/log/pihole
|
|
LogsDirectory=pihole
|
|
NoNewPrivileges=true
|
|
PrivateDevices=true
|
|
PrivateIPC=true
|
|
# Gives pihole-FTL a private (0700), not shared, per-execution, tmp folder
|
|
PrivateTmp=true
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectHome=true
|
|
ProtectHostname=true
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
# Hides processes owned by other users from pihole-FTL view
|
|
ProtectProc=invisible
|
|
# Mount the entire file system as read-only. Write access to required folders is provided via
|
|
# {Configuration,Logs,Runtime}Directory= settings
|
|
ProtectSystem=strict
|
|
RemoveIPC=true
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
# Gives access to /run/pihole, cleared when service is stopped
|
|
RuntimeDirectory=pihole
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
# Blacklist using the '~' character the @privileged syscall set
|
|
SystemCallFilter=~@privileged
|
|
# Hides the content of the following folders, which may contain user data, from pihole-FTL view
|
|
TemporaryFileSystem=/media /mnt /opt /run /srv /var
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|