mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-28 18:18:55 +00:00
5eb2bba47b
Closes #5063, supersedes #5850 Other refactors and changes made as part of this: - Adds the ability to disable DNS control on Windows - Removes the spooky-action-at-a-distance `from_env` functions that used to be buried in `tunnel` - `FIREZONE_DNS_CONTROL` is now a regular `clap` argument again --------- Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
49 lines
1.3 KiB
Desktop File
49 lines
1.3 KiB
Desktop File
[Unit]
|
|
Description=Firezone Client
|
|
|
|
[Service]
|
|
AmbientCapabilities=CAP_NET_ADMIN
|
|
CapabilityBoundingSet=CAP_NET_ADMIN
|
|
DeviceAllow=/dev/net/tun
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
NoNewPrivileges=true
|
|
PrivateMounts=true
|
|
PrivateTmp=true
|
|
# We need to be real root, not just root in our cgroup
|
|
PrivateUsers=false
|
|
ProcSubset=pid
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectHome=true
|
|
ProtectHostname=true
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
# Docs say it's useless when running as root, but defense-in-depth
|
|
ProtectProc=invisible
|
|
ProtectSystem=strict
|
|
# Netlink needed for the tunnel interface, Unix needed for `systemd-resolved`
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
StateDirectory=dev.firezone.client
|
|
SystemCallArchitectures=native
|
|
# TODO: Minimize
|
|
SystemCallFilter=@aio @basic-io @file-system @io-event @network-io @signal @system-service
|
|
UMask=077
|
|
|
|
Environment="FIREZONE_API_URL=ws://localhost:8081"
|
|
# TODO: Remove after #6163 gets into a release
|
|
Environment="FIREZONE_DNS_CONTROL=systemd-resolved"
|
|
Environment="RUST_LOG=info"
|
|
|
|
ExecStart=firezone-headless-client standalone
|
|
Type=notify
|
|
# Unfortunately we may need root to control DNS
|
|
User=root
|
|
|
|
[Install]
|
|
WantedBy=default.target
|