Further enhance systemd unit file

- Add more comments/documentation.
- Add dependencies for services and proxy scanners.
- Add more limit configurations.
- Allow AF_UNIX address family, required for syslog!

1 files changed, 20 insertions, 4 deletions

diff --git a/contrib/ngircd.service b/contrib/ngircd.service
index bfaddc91..e4c30e25 100644
--- a/contrib/ngircd.service
+++ b/contrib/ngircd.service
@@ -1,24 +1,40 @@
+# ngIRCd systemd service unit.
+# See systemd(1), systemd.unit(5), systemd.service(5), systemd.exec(5).
+
 [Unit]
 Description=Next Generation IRC Daemon
 Documentation=man:ngircd(8) man:ngircd.conf(5) https://ngircd.barton.de
 After=network.target
+Wants=anope.service atheme.service irc-services.service
+Wants=bopm.service
+Before=anope.service atheme.service irc-services.service
+Before=bopm.service
 
 [Service]
 Type=forking
 User=irc
 Group=irc
+# Settings & limits:
 CapabilityBoundingSet=CAP_SYS_CHROOT CAP_NET_BIND_SERVICE
-PrivateTmp=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
 ProtectSystem=full
-ProtectHome=true
-NoNewPrivileges=true
-RestrictAddressFamilies=AF_INET AF_INET6
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictRealtime=yes
 RuntimeDirectory=ircd
 RuntimeDirectoryMode=750
+# Try to load "default files" from any Debian package variant to keep this
+# unit generic.
 EnvironmentFile=-/etc/default/ngircd
 EnvironmentFile=-/etc/default/ngircd-full
 EnvironmentFile=-/etc/default/ngircd-full-dbg
+# Start ngIRCd. Note: systemd doesn't allow to use $DAEMON here!
 ExecStart=/usr/sbin/ngircd $PARAMS
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure