aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-misc/FORT-validator/files/fort.service')
-rw-r--r--net-misc/FORT-validator/files/fort.service35
1 files changed, 35 insertions, 0 deletions
diff --git a/net-misc/FORT-validator/files/fort.service b/net-misc/FORT-validator/files/fort.service
new file mode 100644
index 00000000..4f24f8d1
--- /dev/null
+++ b/net-misc/FORT-validator/files/fort.service
@@ -0,0 +1,35 @@
+[Unit]
+Description=FORT RPKI validator
+Documentation=man:fort(8)
+Documentation=https://nicmx.github.io/FORT-validator/
+
+[Service]
+ExecStart=/usr/bin/fort --configuration-file /etc/fort/config.json
+Type=simple
+User=fort
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+ProtectSystem=strict
+ProtectHome=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+CacheDirectory=fort
+ReadWritePaths=/var/lib/fort/
+ConfigurationDirectory=fort
+ConfigurationDirectory=tals
+StateDirectory=fort
+NoNewPrivileges=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target