# This is an example service file for Pixiecore, which starts it in
# API mode with as many execution restrictions as possible: read-only
# filesystems, chroot, capability limitations, syscall filters...
#
# You will probably need to adjust this to your particular needs, but
# this should be a comprehensive starting point.

[Unit]
Description=PXE booting server
Documentation=https://github.com/google/netboot/tree/master/pixiecore

[Service]
WorkingDirectory=/tmp
ExecStart=/usr/bin/pixiecore api https://example.com/api
Restart=always
User=nobody
Group=nobody
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectControlGroups=true
ProtectKernelModules=true
NoNewPrivileges=true
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK

[Install]
WantedBy=multi-user.target