From cd068fe3eec4713916257295626e2aebf6c6ed7f Mon Sep 17 00:00:00 2001 From: Robert Adam Date: Wed, 7 Sep 2022 20:01:58 +0200 Subject: MAINT: Improve mumble-server.service This essentially copied the file from https://github.com/archlinux/svntogit-community/blob/ba167269f8336659313d589dea65642b4eae4f85/trunk/murmur.service and only adapted it in as far as that it uses the actual install paths. --- .../config_files/mumble-server.service.in | 29 +++++++++++++++++++--- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/auxiliary_files/config_files/mumble-server.service.in b/auxiliary_files/config_files/mumble-server.service.in index 2b97a53cd..0447a022e 100644 --- a/auxiliary_files/config_files/mumble-server.service.in +++ b/auxiliary_files/config_files/mumble-server.service.in @@ -1,15 +1,36 @@ [Unit] Description=Mumble server After=network.target +Wants=network-online.target [Service] -Type=exec -ExecStart=@MUMBLE_INSTALL_ABS_EXECUTABLEDIR@/@MUMBLE_SERVER_BINARY_NAME@ -fg -ini @MUMBLE_INSTALL_ABS_SYSCONFDIR@/mumble-server.ini -Restart=always +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +ExecStart=@MUMBLE_INSTALL_ABS_EXECUTABLEDIR@/@MUMBLE_SERVER_BINARY_NAME@ -ini @MUMBLE_INSTALL_ABS_SYSCONFDIR@/mumble-server.ini -fg +Group=_mumble-server +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=true PrivateTmp=true -ProtectSystem=full +ProtectClock=yes +ProtectControlGroups=yes ProtectHome=true +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=full +RestrictAddressFamilies=~AF_PACKET AF_NETLINK +RestrictNamespaces=yes +RestrictSUIDSGID=yes +RestrictRealtime=yes +Restart=always +SystemCallArchitectures=native +SystemCallFilter=@system-service +Type=simple +User=_mumble-server [Install] WantedBy=multi-user.target + -- cgit v1.2.3