Add a systemd unit file to run tlsrouter.

The sandboxing settings are quite extreme. I love it.
author: David Anderson <[email protected]> 2017-01-03 23:18:09 -0800
committer: David Anderson <[email protected]> 2017-01-03 23:18:09 -0800
commit: 4f5b46f61cba8359944015dfbcbce4b88cc0fd00 (patch)
tree: 7b84683a74c3510121844374c190e9d4d13a2124
parent: 8cc8cac141994b55ac7f2b98ad363b2196d867f4 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/systemd/tlsrouter.service b/systemd/tlsrouter.service
new file mode 100644
index 0000000..e1e5fa0
--- /dev/null
+++ b/systemd/tlsrouter.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=TLS SNI proxy
+Documentation=https://github.com/google/tlsrouter
+
+[Service]
+WorkingDirectory=/tmp
+ExecStart=/usr/bin/tlsrouter -conf /etc/tlsrouter.conf
+Restart=always
+User=nobody
+Group=nobody
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+PrivateTmp=true
+PrivateDevices=true
+ProtectSystem=strict
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+NoNewPrivileges=true
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+[Install]
+WantedBy=multi-user.target
author	David Anderson <[email protected]>	2017-01-03 23:18:09 -0800
committer	David Anderson <[email protected]>	2017-01-03 23:18:09 -0800
commit	4f5b46f61cba8359944015dfbcbce4b88cc0fd00 (patch)
tree	7b84683a74c3510121844374c190e9d4d13a2124
parent	8cc8cac141994b55ac7f2b98ad363b2196d867f4 (diff)