Add a sample systemd service file for pixiecore.

The service file is added as documentation, rather than in the system services directory, because it will almost certainly require customization before it can be used. So why bother including one at all? Because I've gone through the trouble of figuring out the various systemd-exec security flags to lock down pixiecore as much as possible with chroots, capabilties, syscall filters, etc. Having that as a baseline will encourage people to run Pixiecore with maximum constraints, even if they have to write their own ExecStart for it.
2025-10-17 10:31:28 +02:00 · 2017-01-31 17:53:45 -08:00 · 2017-01-31 17:53:45 -08:00 · 3df58430a4
commit 3df58430a4
parent 01a86583a5
2 changed files with 34 additions and 0 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -22,7 +22,9 @@ script:
 - fpm -s dir -t deb -n pixiecore -v $(date '+%Y%m%d%H%M%S') --license Apache2 --vendor
  "David Anderson <dave@natulte.net>" --maintainer "David Anderson <dave@natulte.net>"
  --description "All-in-one PXE booting" --url "https://github.com/google/netboot"
+  --directories /usr/share/doc/pixiecore
  ./pixiecore.amd64=/usr/bin/pixiecore
+  ./pixiecore/pixiecore.service=/usr/share/doc/pixiecore/pixiecore.service.example
 env:
  global:
    # Packagecloud API token
--- a/pixiecore/pixiecore.service
+++ b/pixiecore/pixiecore.service
@ -0,0 +1,32 @@
+# This is an example service file for Pixiecore, which starts it in
+# API mode with as many execution restrictions as possible: read-only
+# filesystems, chroot, capability limitations, syscall filters...
+#
+# You will probably need to adjust this to your particular needs, but
+# this should be a comprehensive starting point.
+
+[Unit]
+Description=PXE booting server
+Documentation=https://github.com/google/netboot/tree/master/pixiecore
+
+[Service]
+WorkingDirectory=/tmp
+ExecStart=/usr/bin/pixiecore api https://example.com/api
+Restart=always
+User=nobody
+Group=nobody
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
+PrivateTmp=true
+PrivateDevices=true
+ProtectSystem=strict
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+NoNewPrivileges=true
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+[Install]
+WantedBy=multi-user.target