From 7934125c09832a6a74c7b2f9858200b7260e13b7 Mon Sep 17 00:00:00 2001 From: bol-van Date: Wed, 12 Mar 2025 17:20:52 +0300 Subject: [PATCH] init.d: systemd unit examples for tpws and nfqws --- init.d/systemd/nfqws@.service | 65 +++++++++++++++++++ .../systemd/{nfqws.service => tpws@.service} | 36 ++++++---- 2 files changed, 89 insertions(+), 12 deletions(-) create mode 100644 init.d/systemd/nfqws@.service rename init.d/systemd/{nfqws.service => tpws@.service} (59%) diff --git a/init.d/systemd/nfqws@.service b/init.d/systemd/nfqws@.service new file mode 100644 index 0000000..fc8275d --- /dev/null +++ b/init.d/systemd/nfqws@.service @@ -0,0 +1,65 @@ +# Example systemd service unit for nfqws. Adjust for your installation. + +# WARNING ! This unit requires to compile nfqws using `make systemd` +# WARNING ! This makefile target enabled special systemd notify support. + +# PREPARE +# install build depends +# make -C /opt/zapret systemd +# cp nfqws@service /lib/systemd/system + +# MANAGE INSTANCE +# prepare /etc/zapret/nfqws1.conf with nfqws parameters +# systemctl daemon-reload +# systemctl start nfqws@nfqws1 +# systemctl status nfqws@nfqws1 +# systemctl restart nfqws@nfqws1 +# systemctl enable nfqws@nfqws1 +# systemctl disable nfqws@nfqws1 +# systemctl stop nfqws@nfqws1 + +# DELETE +# rm /lib/systemd/system/nfqws@.service +# systemctl daemon-reload + + +[Unit] +After=network.target + +[Service] +Type=notify +Restart=on-failure + +ExecSearchPath=/opt/zapret/binaries/my +ExecStart=nfqws @${CONFIG_DIR}/${INSTANCE}.conf +Environment=CONFIG_DIR=/etc/zapret +Environment=INSTANCE=%i + +RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET + +LockPersonality=true +MemoryDenyWriteExecute=true +PrivateDevices=true +PrivateMounts=true +PrivateTmp=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=full +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@resources +UMask=0077 + +[Install] +WantedBy=multi-user.target diff --git a/init.d/systemd/nfqws.service b/init.d/systemd/tpws@.service similarity index 59% rename from init.d/systemd/nfqws.service rename to init.d/systemd/tpws@.service index cedd2a2..993e062 100644 --- a/init.d/systemd/nfqws.service +++ b/init.d/systemd/tpws@.service @@ -3,6 +3,26 @@ # WARNING ! This unit requires to compile nfqws using `make systemd` # WARNING ! This makefile target enabled special systemd notify support. +# PREPARE +# install build depends +# make -C /opt/zapret systemd +# cp tpws@service /lib/systemd/system + +# MANAGE INSTANCE +# prepare /etc/zapret/tpws1.conf with tpws parameters +# systemctl daemon-reload +# systemctl start tpws@tpws1 +# systemctl status tpws@tpws1 +# systemctl restart tpws@tpws1 +# systemctl enable tpws@tpws1 +# systemctl disable tpws@tpws1 +# systemctl stop tpws@tpws1 + +# DELETE +# rm /lib/systemd/system/tpws@.service +# systemctl daemon-reload + + [Unit] After=network.target @@ -11,16 +31,10 @@ Type=notify Restart=on-failure ExecSearchPath=/opt/zapret/binaries/my -ExecStart=nfqws @${CONFIG_FILE} -Environment=CONFIG_FILE=/etc/zapret/nfqws.config +ExecStart=tpws @${CONFIG_DIR}/${INSTANCE}.conf +Environment=CONFIG_DIR=/etc/zapret +Environment=INSTANCE=%i -StateDirectory=nfqws -StateDirectoryMode=0700 -WorkingDirectory=%S/nfqws - -DynamicUser=true -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET LockPersonality=true @@ -35,16 +49,14 @@ ProtectHome=true ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true -ProtectKernelTunables=true ProtectProc=invisible -ProtectSystem=strict +ProtectSystem=full RemoveIPC=true RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=@system-service -SystemCallFilter=~@resources @privileged UMask=0077 [Install]