-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwg-netnamespace@.service
66 lines (56 loc) · 1.64 KB
/
wg-netnamespace@.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
[Unit]
Documentation=man:wg(8)
Documentation=man:wg_namespace_cli(8)
Description=WireGuard isolated network namespace (%i)
Wants=network-online.target nss-lookup.target
After=network-online.target nss-lookup.target
[Service]
# See systemd.directives
Type=oneshot
# Set this in dropin
# Environment=MY_IP=
# This variable when set to something tells the underlying script to use CREDENTIALS_DIRECTORY
Environment=STOCK_SERVICE=1
ExecStart=wg_namespace_cli up %i
ExecStop=wg_namespace_cli down %i
RemainAfterExit=yes
LoadCredential=%i.conf:/etc/wireguard/%i.conf
; ConfigurationDirectory=wg_namespace_cli
; ConfigurationDirectoryMode=0600
# General protection settings
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_NET_ADMIN
# These settings seem to break joining the namespace after it has been launched...
# ProtectSystem=true
# ProtectProc=noaccess
# PrivateDevices=true
# ProtectKernelTunables=true
# ProtectKernelLogs=true
# PrivateDevices=true
# PrivateMounts=true
# PrivateTmp=true
# ProtectControlGroups=true
# ProtectHome=true
ProtectClock=true
RestrictSUIDSGID=true
ProtectHostname=true
# Only allow IPv4 and IPv6
RestrictAddressFamilies=AF_INET AF_INET6
# AF_NETLINK is needed for ip netns add wg0
RestrictAddressFamilies=AF_NETLINK
NoNewPrivileges=true
RestrictRealtime=true
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@obsolete
LockPersonality=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
SystemCallFilter=~@clock
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@reboot
SystemCallFilter=~@privileged
SystemCallFilter=~@mount
SystemCallFilter=~@resources
SystemCallFilter=~@chown
[Install]
WantedBy=multi-user.target