48 lines
1.2 KiB
INI
48 lines
1.2 KiB
INI
[Unit]
|
|
Description=Run the Cloudflare DDNS script
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/usr/bin/cloudflare-ddns run --config-file "${CREDENTIALS_DIRECTORY}/cloudflare-ddns.toml" --cache-dir "${CACHE_DIRECTORY}"
|
|
|
|
# Please modify the path after the : to point to a custom config location if you'd like
|
|
LoadCredential=cloudflare-ddns.toml:/etc/cloudflare-ddns.toml
|
|
|
|
# Security Hardening
|
|
# Run `systemd-analyze security cloudflare-ddns` for recommendations
|
|
|
|
NoNewPrivileges=true
|
|
ProtectSystem=strict
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectHostname=true
|
|
ProtectClock=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelLogs=true
|
|
ProtectControlGroups=true
|
|
RestrictNamespaces=true
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
CapabilityBoundingSet=
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@privileged
|
|
SystemCallFilter=~@resources
|
|
ProtectProc=invisible
|
|
ProcSubset=pid
|
|
RestrictAddressFamilies=AF_INET AF_INET6
|
|
UMask=066
|
|
DynamicUser=true
|
|
CacheDirectory=cloudflare-ddns
|
|
PrivateUsers=true
|
|
ProtectHome=true
|
|
# Refuse to execute any other binary
|
|
ExecPaths=/usr/bin/cloudflare-ddns
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target |