Alan Orth
c927186837
This service does not actually depend on nftables, at least not in the systemd sense of dependency. Furthermore, this hard dependency was causing the service to fail when it restarts nftables at the end, which causes systemd to start it again and again until it hits a restarting too quickly error.
25 lines
717 B
Desktop File
25 lines
717 B
Desktop File
[Unit]
|
|
Description=Update FireHOL lists
|
|
# Make sure the network is up
|
|
After=network-online.target
|
|
Wants=network-online.target update-firehol-nftables.timer
|
|
|
|
[Service]
|
|
# https://www.ctrl.blog/entry/systemd-service-hardening.html
|
|
# Doesn't need access to /home or /root
|
|
ProtectHome=true
|
|
# Possibly only works on Ubuntu 18.04+
|
|
ProtectKernelTunables=true
|
|
ProtectSystem=full
|
|
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
|
|
ReadWriteDirectories=/etc/nftables
|
|
PrivateTmp=true
|
|
WorkingDirectory=/var/tmp
|
|
|
|
SyslogIdentifier=update-firehol-nftables
|
|
ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
|
|
/usr/local/bin/update-firehol-nftables.sh
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|