MAINT: Improve mumble-server.service

This essentially copied the file from
https://github.com/archlinux/svntogit-community/blob/ba167269f8336659313d589dea65642b4eae4f85/trunk/murmur.service
and only adapted it in as far as that it uses the actual install paths.

1 files changed, 25 insertions, 4 deletions

diff --git a/auxiliary_files/config_files/mumble-server.service.in b/auxiliary_files/config_files/mumble-server.service.in
index 2b97a53cd..0447a022e 100644
--- a/auxiliary_files/config_files/mumble-server.service.in
+++ b/auxiliary_files/config_files/mumble-server.service.in
@@ -1,15 +1,36 @@
 [Unit]
 Description=Mumble server
 After=network.target
+Wants=network-online.target
 
 [Service]
-Type=exec
-ExecStart=@MUMBLE_INSTALL_ABS_EXECUTABLEDIR@/@MUMBLE_SERVER_BINARY_NAME@ -fg -ini @MUMBLE_INSTALL_ABS_SYSCONFDIR@/mumble-server.ini
-Restart=always
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+ExecStart=@MUMBLE_INSTALL_ABS_EXECUTABLEDIR@/@MUMBLE_SERVER_BINARY_NAME@ -ini @MUMBLE_INSTALL_ABS_SYSCONFDIR@/mumble-server.ini -fg
+Group=_mumble-server
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=true
 PrivateTmp=true
-ProtectSystem=full
+ProtectClock=yes
+ProtectControlGroups=yes
 ProtectHome=true
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=full
+RestrictAddressFamilies=~AF_PACKET AF_NETLINK
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+RestrictRealtime=yes
+Restart=always
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+Type=simple
+User=_mumble-server
 
 [Install]
 WantedBy=multi-user.target
+