github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
firezone/scripts/tests/systemd/firezone-client-headless.service
Jamil 0698e0d35f ci: test IPv6 for CIDR resources (#10168) 
Docker for Mac finally supports IPv6 in general availability. It's time
to add IPv6 to our suite of integration tests.

The thinking behind this PR is try and not slow down CI much, if at all,
by testing IPv6 side-by-side with the existing IPv4 tests.

More comprehensive testing is being developed in #10131 that will test
things like IPv4-in-6 relaying, client / gateway IP stack mismatches,
and so forth.
2025-08-18 20:59:40 +00:00

49 lines
1.3 KiB
Desktop File
Raw Permalink Blame History

[Unit]
Description=Firezone Client
[Service]
AmbientCapabilities=CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_ADMIN
DeviceAllow=/dev/net/tun
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateMounts=true
PrivateTmp=true
# We need to be real root, not just root in our cgroup
PrivateUsers=false
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
# Docs say it's useless when running as root, but defense-in-depth
ProtectProc=invisible
ProtectSystem=strict
# Netlink needed for the tunnel interface, Unix needed for `systemd-resolved`
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
StateDirectory=dev.firezone.client
SystemCallArchitectures=native
# TODO: Minimize
SystemCallFilter=@aio @basic-io @file-system @io-event @network-io @signal @system-service
UMask=077
Environment="FIREZONE_API_URL=ws://127.0.0.1:8081"
# TODO: Remove after #6163 gets into a release
Environment="FIREZONE_DNS_CONTROL=systemd-resolved"
Environment="RUST_LOG=info"
ExecStart=firezone-headless-client standalone
Type=notify
# Unfortunately we may need root to control DNS
User=root
[Install]
WantedBy=default.target
Reference in New Issue View Git Blame Copy Permalink