|
 |
fd51c00 |
[Unit]
|
|
|
fd51c00 |
Description=Anonymizing overlay network for TCP (instance: %i)
|
|
|
fd51c00 |
After=syslog.target network.target nss-lookup.target
|
|
|
fd51c00 |
PartOf=tor-master.service
|
|
|
fd51c00 |
ReloadPropagatedFrom=tor-master.service
|
|
|
fd51c00 |
|
|
|
fd51c00 |
[Service]
|
|
|
fd51c00 |
Type=notify
|
|
|
fd51c00 |
NotifyAccess=all
|
|
|
fd51c00 |
ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/%i.torrc --verify-config
|
|
|
fd51c00 |
ExecStart=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/%i.torrc
|
|
|
fd51c00 |
ExecReload=/bin/kill -HUP ${MAINPID}
|
|
|
fd51c00 |
KillSignal=SIGINT
|
|
|
fd51c00 |
TimeoutSec=30
|
|
|
fd51c00 |
Restart=on-failure
|
|
|
f0cf68d |
RestartSec=1
|
|
|
fd51c00 |
WatchdogSec=1m
|
|
|
fd51c00 |
LimitNOFILE=32768
|
|
|
fd51c00 |
|
|
|
fd51c00 |
# Hardening
|
|
|
fd51c00 |
PrivateTmp=yes
|
|
|
fd51c00 |
DeviceAllow=/dev/null rw
|
|
|
fd51c00 |
DeviceAllow=/dev/urandom r
|
|
|
fd51c00 |
ProtectHome=yes
|
|
|
fd51c00 |
ProtectSystem=full
|
|
|
c5783ad |
ReadOnlyDirectories=/run
|
|
|
c53f093 |
ReadOnlyDirectories=/var
|
|
|
c5783ad |
ReadWriteDirectories=/run/tor
|
|
|
fd51c00 |
ReadWriteDirectories=/var/lib/tor
|
|
|
fd51c00 |
ReadWriteDirectories=/var/log/tor
|
|
|
a910c5c |
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
|
|
|
f0cf68d |
PermissionsStartOnly=yes
|
|
|
fd51c00 |
|
|
|
fd51c00 |
[Install]
|
|
|
fd51c00 |
WantedBy = multi-user.target
|