| author | Alberto Bertogli
<albertito@blitiri.com.ar> 2016-05-17 23:16:35 UTC |
| committer | Alberto Bertogli
<albertito@blitiri.com.ar> 2016-05-22 20:08:00 UTC |
| parent | e5c478763bfba43e343edde34bb7254bda61d1a8 |
| etc/systemd/{dnss-dns_to_grpc.service => dns-to-grpc/dnss.service} | +11 | -7 |
| etc/systemd/{dnss-dns_to_grpc.socket => dns-to-grpc/dnss.socket} | +1 | -1 |
| etc/systemd/dns-to-https/dnss.service | +32 | -0 |
| etc/systemd/dns-to-https/dnss.socket | +11 | -0 |
| etc/systemd/{dnss-grpc_to_dns.service => grpc-to-dns/dnss.service} | +1 | -0 |
diff --git a/etc/systemd/dnss-dns_to_grpc.service b/etc/systemd/dns-to-grpc/dnss.service similarity index 66% rename from etc/systemd/dnss-dns_to_grpc.service rename to etc/systemd/dns-to-grpc/dnss.service index 56c5c82..bf4e3d8 100644 --- a/etc/systemd/dnss-dns_to_grpc.service +++ b/etc/systemd/dns-to-grpc/dnss.service @@ -2,22 +2,25 @@ Description = dnss daemon - DNS to GRPC mode # Note we get the sockets via systemd, see the matching .socket configuration. +Requires=dnss.socket + [Service] -ExecStart = /usr/bin/dnss --dns_to_grpc \ - --dns_listen_addr=systemd \ +ExecStart = /usr/bin/dnss \ + --dns_listen_addr=systemd \ + --logtostderr \ + --monitoring_listen_addr=127.0.0.1:8081 \ + --grpc_upstream=1.2.3.4:9953 \ --grpc_client_cafile=/etc/ssl/dnss/1.2.3.4-cert.pem \ - --grpc_upstream=1.2.3.4:9953 \ - --monitoring_listen_addr=127.0.0.1:9982 \ - --logtostderr + --enable_dns_to_grpc -Type = simple +Type = simple +Restart = always # The user can be created with no permissions using: # # sudo useradd -U dnss -M -d /nonexistent -s /bin/false - User = ddns Group = ddns @@ -27,5 +30,6 @@ ProtectSystem = full [Install] +Also=dnss.socket WantedBy = multi-user.target diff --git a/etc/systemd/dnss-dns_to_grpc.socket b/etc/systemd/dns-to-grpc/dnss.socket similarity index 80% rename from etc/systemd/dnss-dns_to_grpc.socket rename to etc/systemd/dns-to-grpc/dnss.socket index 984432d..b73523c 100644 --- a/etc/systemd/dnss-dns_to_grpc.socket +++ b/etc/systemd/dns-to-grpc/dnss.socket @@ -1,4 +1,4 @@ -# Sockets for dnss in DNS to GRPC mode. +# Sockets for dnss. # # This lets dnss run unprivileged. # We typically want one UDP and one TCP socket. diff --git a/etc/systemd/dns-to-https/dnss.service b/etc/systemd/dns-to-https/dnss.service new file mode 100644 index 0000000..262092a --- /dev/null +++ b/etc/systemd/dns-to-https/dnss.service @@ -0,0 +1,32 @@ +[Unit] +Description = dnss daemon - DNS over HTTPS mode + +# Note we get the sockets via systemd, see dnss.socket. +Requires=dnss.socket + +[Service] +ExecStart=/usr/local/bin/dnss \ + --dns_listen_addr=systemd \ + --logtostderr \ + --monitoring_listen_addr=127.0.0.1:8081 \ + --enable_dns_to_https + + +Type = simple +Restart = always + +# The user can be created with no permissions using: +# +# sudo useradd -U dnss -M -d /nonexistent -s /bin/false +User = dnss +Group = dnss + +# Simple security measures just in case. +CapabilityBoundingSet = CAP_NET_BIND_SERVICE +ProtectSystem=full + + +[Install] +Also=dnss.socket +WantedBy = multi-user.target + diff --git a/etc/systemd/dns-to-https/dnss.socket b/etc/systemd/dns-to-https/dnss.socket new file mode 100644 index 0000000..b73523c --- /dev/null +++ b/etc/systemd/dns-to-https/dnss.socket @@ -0,0 +1,11 @@ +# Sockets for dnss. +# +# This lets dnss run unprivileged. +# We typically want one UDP and one TCP socket. + +[Socket] +ListenDatagram=53 +ListenStream=53 + +[Install] +WantedBy=sockets.target diff --git a/etc/systemd/dnss-grpc_to_dns.service b/etc/systemd/grpc-to-dns/dnss.service similarity index 96% rename from etc/systemd/dnss-grpc_to_dns.service rename to etc/systemd/grpc-to-dns/dnss.service index 6a5d196..8fa8086 100644 --- a/etc/systemd/dnss-grpc_to_dns.service +++ b/etc/systemd/grpc-to-dns/dnss.service @@ -9,6 +9,7 @@ ExecStart = /usr/bin/dnss --enable_grpc_to_dns \ --logtostderr Type = simple +Restart = always User = ddns Group = ddns