diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2024-06-04 23:42:17 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2024-06-04 23:42:17 +0200 |
| commit | 06bfc41a5ce11b42040a4234c938582f1fab320e (patch) | |
| tree | 2ec5fe23e23540a9decbebc7adbde7699396a9c4 /roles/network/coredns/templates | |
| parent | make base url for some repos configurable (diff) | |
install coredns to ch-iot
Diffstat (limited to 'roles/network/coredns/templates')
| -rw-r--r-- | roles/network/coredns/templates/coredns.service.j2 | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/roles/network/coredns/templates/coredns.service.j2 b/roles/network/coredns/templates/coredns.service.j2 new file mode 100644 index 00000000..327f930b --- /dev/null +++ b/roles/network/coredns/templates/coredns.service.j2 @@ -0,0 +1,32 @@ +[Unit] +Description=Coredns +After=network-online.target +Wants=network-online.target + +[Service] +Restart=always +User=coredns +ExecStart=/usr/bin/coredns -conf /etc/coredns/Corefile +ExecReload=/bin/kill -USR1 $MAINPID + +# systemd hardening-options +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target |