mirror of
https://github.com/wesnoth/wesnoth
synced 2025-05-16 18:31:32 +00:00
b5ec7b832e
This uses now the same options which are used when starting wesnothd from within the wesnoth UI. Systemd sandboxing has been added as well as an documentation entry. The socket file seems to be not removed in most cases, thus it gets deleted afterwards.
34 lines
1.0 KiB
SYSTEMD
34 lines
1.0 KiB
SYSTEMD
[Unit]
|
|
Description=Wesnoth@BINARY_SUFFIX@ Multiplayer Server Daemon
|
|
Documentation=man:wesnothd(6)
|
|
After=network.target
|
|
# other wesnothd installations use the same port by default
|
|
# Conflicts=wesnothd-1.12.service wesnothd-1.10.service
|
|
|
|
[Service]
|
|
ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/wesnothd@BINARY_SUFFIX@ -t 2 -T 5
|
|
# you can use -c to specify the same configuration file
|
|
# which is used when starting wensothd from within the wesnoth UI
|
|
# (and make sure wesnothd has the required access permissions)
|
|
ExecStopPost=/usr/bin/rm -f @FIFO_DIR@/socket
|
|
SyslogIdentifier=Wesnothd@BINARY_SUFFIX@
|
|
|
|
# Additional security-related features
|
|
# (when using the -c option, do not use the Protect options)
|
|
ProtectHome=yes
|
|
ProtectSystem=full
|
|
PrivateTmp=yes
|
|
PrivateDevices=yes
|
|
NoNewPrivileges=yes
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
RestrictRealtime=yes
|
|
MemoryDenyWriteExecute=yes
|
|
SystemCallArchitectures=native
|
|
ProtectControlGroups=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
RestrictNamespaces=yes
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|