diff --git a/nebula.service b/nebula.service new file mode 100644 index 0000000..6a6b7db --- /dev/null +++ b/nebula.service @@ -0,0 +1,37 @@ +[Unit] +Description=Nebula overlay networking tool + +After=basic.target network.target network-online.target +Before=sshd.service +Wants=basic.target network-online.target nss-lookup.target time-sync.target + +[Service] +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/bin/nebula -config /etc/nebula/config.yml +SyslogIdentifier=nebula +#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_NET_ADMIN +RestrictNamespaces=yes +WorkingDirectory=/etc/nebula +ProtectClock=true +ProtectSystem=strict +ProtectHostname=yes +ProtectHome=yes +PrivateHome=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +NoNewPrivileges=yes +PrivateTmp=yes +UMask=0077 +RestrictAddressFamilies=AF_NETLINK AF_INET AF_INET6 +DeviceAllow=/dev/null rw +DeviceAllow=/dev/net/tun rw +PrivateTmp=true +ProtectSystem=true +ProtectHome=true + +[Install] +WantedBy=multi-user.target diff --git a/nebula.spec b/nebula.spec index ac38e26..4f1d3c8 100644 --- a/nebula.spec +++ b/nebula.spec @@ -23,6 +23,7 @@ Summary: A scalable overlay networking tool with a focus on performance, License: MIT URL: %{gourl} Source0: %{gosource} +Source1: nebula.service BuildRequires: systemd-rpm-macros @@ -52,7 +53,7 @@ install -m 0755 -vd %{buildroot}%{_bindir} install -m 0755 -vp %{gobuilddir}/bin/* %{buildroot}%{_bindir}/ install -m 0755 -vd %{buildroot}%{_sysconfdir}/%{name} install -m 0640 -vp examples/config.yml %{buildroot}%{_sysconfdir}/%{name} -install -m 0644 -vDp dist/fedora/nebula.service %{buildroot}%{_unitdir}/%{name}.service +install -m 0644 -vDp %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service %if %{with check} %check