mirror of
https://github.com/danderson/netboot.git
synced 2025-10-16 10:01:20 +02:00
3df58430a4
The service file is added as documentation, rather than in the system services directory, because it will almost certainly require customization before it can be used. So why bother including one at all? Because I've gone through the trouble of figuring out the various systemd-exec security flags to lock down pixiecore as much as possible with chroots, capabilties, syscall filters, etc. Having that as a baseline will encourage people to run Pixiecore with maximum constraints, even if they have to write their own ExecStart for it.
33 lines
1.0 KiB
Desktop File
33 lines
1.0 KiB
Desktop File
# This is an example service file for Pixiecore, which starts it in
|
|
# API mode with as many execution restrictions as possible: read-only
|
|
# filesystems, chroot, capability limitations, syscall filters...
|
|
#
|
|
# You will probably need to adjust this to your particular needs, but
|
|
# this should be a comprehensive starting point.
|
|
|
|
[Unit]
|
|
Description=PXE booting server
|
|
Documentation=https://github.com/google/netboot/tree/master/pixiecore
|
|
|
|
[Service]
|
|
WorkingDirectory=/tmp
|
|
ExecStart=/usr/bin/pixiecore api https://example.com/api
|
|
Restart=always
|
|
User=nobody
|
|
Group=nobody
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
ProtectKernelTunables=true
|
|
ProtectControlGroups=true
|
|
ProtectKernelModules=true
|
|
NoNewPrivileges=true
|
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|