enhancements to the systemd unit file

This uses now the same options which are used when starting wesnothd from within the wesnoth UI. Systemd sandboxing has been added as well as an documentation entry. The socket file seems to be not removed in most cases, thus it gets deleted afterwards.
wesnoth · Feb 24, 2018 · b5ec7b8 · b5ec7b8 · soliton- · Feb 24, 2018
1 parent 2151ed6
commit b5ec7b8
Showing 1 changed file with 26 additions and 2 deletions.
diff --git a/packaging/systemd/wesnothd.service.in b/packaging/systemd/wesnothd.service.in
@@ -1,9 +1,33 @@
 [Unit]
-Description=Wesnoth Multiplayer Server Daemon
+Description=Wesnoth@BINARY_SUFFIX@ Multiplayer Server Daemon
+Documentation=man:wesnothd(6)
 After=network.target
+# other wesnothd installations use the same port by default
+# Conflicts=wesnothd-1.12.service wesnothd-1.10.service
 
 [Service]
-ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/wesnothd
+ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/wesnothd@BINARY_SUFFIX@ -t 2 -T 5
+# you can use -c to specify the same configuration file
+# which is used when starting wensothd from within the wesnoth UI
+# (and make sure wesnothd has the required access permissions)
+ExecStopPost=/usr/bin/rm -f @FIFO_DIR@/socket
+SyslogIdentifier=Wesnothd@BINARY_SUFFIX@
+
+# Additional security-related features
+# (when using the -c option, do not use the Protect options)
+ProtectHome=yes
+ProtectSystem=full
+PrivateTmp=yes
+PrivateDevices=yes
+NoNewPrivileges=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictRealtime=yes
+MemoryDenyWriteExecute=yes
+SystemCallArchitectures=native
+ProtectControlGroups=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+RestrictNamespaces=yes
 
 [Install]
 WantedBy=multi-user.target