repo: ngircd
action: commit
revision: 
path_from: 
revision_from: 74f021fb444acd5a19b907aa5bc886c5dc58e5a9:
path_to: 
revision_to: 

commit 74f021fb444acd5a19b907aa5bc886c5dc58e5a9
Author: Alexander Barton 
Date:   Fri Jan 6 22:50:24 2017 +0100

    Further enhance systemd unit file

    - Add more comments/documentation.
    - Add dependencies for services and proxy scanners.
    - Add more limit configurations.
    - Allow AF_UNIX address family, required for syslog!

diff --git a/contrib/ngircd.service b/contrib/ngircd.service

--- a/contrib/ngircd.service
+++ b/contrib/ngircd.service
@@ -1,24 +1,40 @@
+# ngIRCd systemd service unit.
+# See systemd(1), systemd.unit(5), systemd.service(5), systemd.exec(5).
+
 [Unit]
 Description=Next Generation IRC Daemon
 Documentation=man:ngircd(8) man:ngircd.conf(5) https://ngircd.barton.de
 After=network.target
+Wants=anope.service atheme.service irc-services.service
+Wants=bopm.service
+Before=anope.service atheme.service irc-services.service
+Before=bopm.service

 [Service]
 Type=forking
 User=irc
 Group=irc
+# Settings & limits:
 CapabilityBoundingSet=CAP_SYS_CHROOT CAP_NET_BIND_SERVICE
-PrivateTmp=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
 ProtectSystem=full
-ProtectHome=true
-NoNewPrivileges=true
-RestrictAddressFamilies=AF_INET AF_INET6
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictRealtime=yes
 RuntimeDirectory=ircd
 RuntimeDirectoryMode=750
+# Try to load "default files" from any Debian package variant to keep this
+# unit generic.
 EnvironmentFile=-/etc/default/ngircd
 EnvironmentFile=-/etc/default/ngircd-full
 EnvironmentFile=-/etc/default/ngircd-full-dbg
+# Start ngIRCd. Note: systemd doesn't allow to use $DAEMON here!
 ExecStart=/usr/sbin/ngircd $PARAMS
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure

-----END OF PAGE-----