mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
0ad72f00d1
Is this worth it? ```[tasklist] ### Before merging - [x] Double-check docs and ask Jamil to review - [x] Would need Brian to review the terraform thing - [x] Make sure Docker compat isn't broken for existing users (shouldn't be, the image is still just `client`) - [x] Decide whether compatibility tests need to pass (if something breaks after merge we can revert this) ```
48 lines
1.2 KiB
Desktop File
48 lines
1.2 KiB
Desktop File
[Unit]
|
|
Description=Firezone Client
|
|
|
|
[Service]
|
|
AmbientCapabilities=CAP_NET_ADMIN
|
|
CapabilityBoundingSet=CAP_NET_ADMIN
|
|
DeviceAllow=/dev/net/tun
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
NoNewPrivileges=true
|
|
PrivateMounts=true
|
|
PrivateTmp=true
|
|
# We need to be real root, not just root in our cgroup
|
|
PrivateUsers=false
|
|
ProcSubset=pid
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectHome=true
|
|
ProtectHostname=true
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
# Docs say it's useless when running as root, but defense-in-depth
|
|
ProtectProc=invisible
|
|
ProtectSystem=strict
|
|
# Netlink needed for the tunnel interface, Unix needed for `systemd-resolved`
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
StateDirectory=dev.firezone.client
|
|
SystemCallArchitectures=native
|
|
# TODO: Minimize
|
|
SystemCallFilter=@aio @basic-io @file-system @io-event @network-io @signal @system-service
|
|
UMask=077
|
|
|
|
Environment="FIREZONE_API_URL=ws://localhost:8081"
|
|
Environment="FIREZONE_DNS_CONTROL=systemd-resolved"
|
|
Environment="RUST_LOG=info"
|
|
|
|
ExecStart=firezone-headless-client standalone
|
|
Type=notify
|
|
# Unfortunately we may need root to control DNS
|
|
User=root
|
|
|
|
[Install]
|
|
WantedBy=default.target
|