695a8b963c
- numa.service: User=numa + CAP_NET_BIND_SERVICE + sandboxing block (ProtectSystem=strict, PrivateTmp, seccomp @system-service, etc) - install_service_linux: create numa system user + chown data_dir before first start so TLS-cert generation and state writes land on a numa-owned tree Runtime verified root-free on Linux — network_watch_loop only reads /etc/resolv.conf; all system-DNS mutation stays in the installer, which continues to run as root via sudo.
51 lines
1.2 KiB
Desktop File
51 lines
1.2 KiB
Desktop File
[Unit]
|
|
Description=Numa DNS — DNS you own, everywhere you go
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart={{exe_path}}
|
|
Restart=always
|
|
RestartSec=2
|
|
|
|
User=numa
|
|
Group=numa
|
|
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
|
|
# StateDirectory maps to crate::data_dir() default on Linux (/var/lib/numa).
|
|
# systemd auto-creates + chowns on every start, fixing legacy root-owned trees.
|
|
StateDirectory=numa
|
|
StateDirectoryMode=0750
|
|
ConfigurationDirectory=numa
|
|
ConfigurationDirectoryMode=0755
|
|
|
|
# Sandboxing
|
|
NoNewPrivileges=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@privileged @resources
|
|
# AF_NETLINK for interface enumeration on network changes
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
|
|
|
|
StandardOutput=journal
|
|
StandardError=journal
|
|
SyslogIdentifier=numa
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|