mirror of
https://github.com/danderson/netboot.git
synced 2025-09-14 10:21:18 +02:00
33 lines
1.0 KiB
Desktop File
33 lines
1.0 KiB
Desktop File
# This is an example service file for Pixiecore, which starts it in
|
|
# API mode with as many execution restrictions as possible: read-only
|
|
# filesystems, chroot, capability limitations, syscall filters...
|
|
#
|
|
# You will probably need to adjust this to your particular needs, but
|
|
# this should be a comprehensive starting point.
|
|
|
|
[Unit]
|
|
Description=PXE booting server
|
|
Documentation=https://github.com/google/netboot/tree/master/pixiecore
|
|
|
|
[Service]
|
|
WorkingDirectory=/tmp
|
|
ExecStart=/usr/bin/pixiecore api https://example.com/api
|
|
Restart=always
|
|
User=nobody
|
|
Group=nobody
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
ProtectKernelTunables=true
|
|
ProtectControlGroups=true
|
|
ProtectKernelModules=true
|
|
NoNewPrivileges=true
|
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|