[Unit]
Description=Firezone Client

[Service]
AmbientCapabilities=CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_ADMIN
DeviceAllow=/dev/net/tun
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateMounts=true
PrivateTmp=true
# We need to be real root, not just root in our cgroup
PrivateUsers=false
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
# Docs say it's useless when running as root, but defense-in-depth
ProtectProc=invisible
ProtectSystem=strict
# Netlink needed for the tunnel interface, Unix needed for `systemd-resolved`
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
StateDirectory=dev.firezone.client
SystemCallArchitectures=native
# TODO: Minimize
SystemCallFilter=@aio @basic-io @file-system @io-event @network-io @signal @system-service
UMask=077

Environment="FIREZONE_API_URL=ws://127.0.0.1:8081"
# TODO: Remove after #6163 gets into a release
Environment="FIREZONE_DNS_CONTROL=systemd-resolved"
Environment="RUST_LOG=info"

ExecStart=firezone-headless-client standalone
Type=notify
# Unfortunately we may need root to control DNS
User=root

[Install]
WantedBy=default.target