1 files changed, 53 insertions, 0 deletions

diff --git a/dnsdist.service.in b/dnsdist.service.in
new file mode 100644
index 0000000..bb11a26
--- /dev/null
+++ b/dnsdist.service.in
@@ -0,0 +1,53 @@
+[Unit]
+Description=DNS Loadbalancer
+Documentation=man:dnsdist(1)
+Documentation=https://dnsdist.org
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+ExecStartPre=@bindir@/dnsdist --check-config
+# Note: when editing the ExecStart command, keep --supervised and --disable-syslog
+ExecStart=@bindir@/dnsdist --supervised --disable-syslog
+User=@service_user@
+Group=@service_group@
+SyslogIdentifier=dnsdist
+Type=notify
+Restart=on-failure
+RestartSec=2
+TimeoutStopSec=5
+StartLimitInterval=0
+
+# Tuning
+TasksMax=8192
+LimitNOFILE=16384
+# Note: increasing the amount of lockable memory is required to use eBPF support
+# LimitMEMLOCK=infinity
+
+# Sandboxing
+# Note: adding CAP_SYS_ADMIN (or CAP_BPF for Linux >= 5.8) is required to use eBPF support,
+# and CAP_NET_RAW to be able to set the source interface to contact a backend
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+LockPersonality=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+# Setting PrivateUsers=true prevents us from opening our sockets
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete
+
+[Install]
+WantedBy=multi-user.target