[Unit]
Description=Coredns
After=network-online.target
Wants=network-online.target

[Service]
Restart=always
User=coredns
ExecStart=/usr/bin/coredns -conf /etc/coredns/Corefile
ExecReload=/bin/kill -USR1 $MAINPID

# systemd hardening-options
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DeviceAllow=/dev/null rw
DevicePolicy=strict
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target