|
Enrico Scholz |
b9ae613 |
[Unit]
|
|
 |
fd51c00 |
Description=Anonymizing overlay network for TCP
|
|
|
fd51c00 |
After=syslog.target network.target nss-lookup.target
|
|
|
fd51c00 |
PartOf=tor-master.service
|
|
|
fd51c00 |
ReloadPropagatedFrom=tor-master.service
|
|
Enrico Scholz |
b9ae613 |
|
|
Enrico Scholz |
b9ae613 |
[Service]
|
|
|
486f339 |
Type=notify
|
|
|
486f339 |
NotifyAccess=all
|
|
|
486f339 |
ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config
|
|
|
486f339 |
ExecStart=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc
|
|
|
486f339 |
ExecReload=/bin/kill -HUP ${MAINPID}
|
|
|
486f339 |
KillSignal=SIGINT
|
|
|
486f339 |
TimeoutSec=30
|
|
|
486f339 |
Restart=on-failure
|
|
|
f0cf68d |
RestartSec=1
|
|
|
486f339 |
WatchdogSec=1m
|
|
|
486f339 |
LimitNOFILE=32768
|
|
Enrico Scholz |
b9ae613 |
|
|
|
486f339 |
# Hardening
|
|
|
486f339 |
PrivateTmp=yes
|
|
|
e955eb4 |
DeviceAllow=/dev/null rw
|
|
|
e955eb4 |
DeviceAllow=/dev/urandom r
|
|
|
486f339 |
ProtectHome=yes
|
|
|
486f339 |
ProtectSystem=full
|
|
|
c5783ad |
ReadOnlyDirectories=/run
|
|
|
c53f093 |
ReadOnlyDirectories=/var
|
|
|
c5783ad |
ReadWriteDirectories=/run/tor
|
|
|
486f339 |
ReadWriteDirectories=/var/lib/tor
|
|
|
486f339 |
ReadWriteDirectories=/var/log/tor
|
|
|
a910c5c |
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
|
|
|
f0cf68d |
PermissionsStartOnly=yes
|
|
|
4f51bac |
|
|
Enrico Scholz |
b9ae613 |
[Install]
|
|
Enrico Scholz |
b9ae613 |
WantedBy = multi-user.target
|