enhancements to the systemd unit file
This uses now the same options which are used when starting wesnothd from within the wesnoth UI. Systemd sandboxing has been added as well as an documentation entry. The socket file seems to be not removed in most cases, thus it gets deleted afterwards.
This commit is contained in:
Severin Glöckner
parent
2151ed6be1
commit
b5ec7b832e
1 changed files with 26 additions and 2 deletions
|
|
@ -1,9 +1,33 @@
|
|||
[Unit]
|
||||
Description=Wesnoth Multiplayer Server Daemon
|
||||
Description=Wesnoth@BINARY_SUFFIX@ Multiplayer Server Daemon
|
||||
Documentation=man:wesnothd(6)
|
||||
After=network.target
|
||||
# other wesnothd installations use the same port by default
|
||||
# Conflicts=wesnothd-1.12.service wesnothd-1.10.service
|
||||
|
||||
[Service]
|
||||
ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/wesnothd
|
||||
ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/wesnothd@BINARY_SUFFIX@ -t 2 -T 5
|
||||
# you can use -c to specify the same configuration file
|
||||
# which is used when starting wensothd from within the wesnoth UI
|
||||
# (and make sure wesnothd has the required access permissions)
|
||||
ExecStopPost=/usr/bin/rm -f @FIFO_DIR@/socket
|
||||
SyslogIdentifier=Wesnothd@BINARY_SUFFIX@
|
||||
|
||||
# Additional security-related features
|
||||
# (when using the -c option, do not use the Protect options)
|
||||
ProtectHome=yes
|
||||
ProtectSystem=full
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
NoNewPrivileges=yes
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
RestrictRealtime=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
SystemCallArchitectures=native
|
||||
ProtectControlGroups=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelModules=yes
|
||||
RestrictNamespaces=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue