Add systemd service
This commit is contained in:
parent
8265a12b72
commit
30315ed8ab
1 changed files with 31 additions and 0 deletions
31
systemd/magicfw.service
Normal file
31
systemd/magicfw.service
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Docker Magic Firewall
|
||||||
|
After=docker.service network-online.target firewalld.service
|
||||||
|
Requires=docker.service
|
||||||
|
Wants=network-online.target
|
||||||
|
StartLimitIntervalSec=60
|
||||||
|
StartLimitBurst=10
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=exec
|
||||||
|
Restart=on-failure
|
||||||
|
RestartSec=5s
|
||||||
|
ExecStart=/usr/bin/python3 /opt/docker_magicfw.py
|
||||||
|
|
||||||
|
# Environment variables (customize as needed)
|
||||||
|
Environment=LOG_LEVEL=INFO
|
||||||
|
Environment=ENABLE_IPV4=true
|
||||||
|
Environment=ENABLE_IPV6=true
|
||||||
|
Environment=DISABLE_NAT=true
|
||||||
|
|
||||||
|
# Security hardening
|
||||||
|
User=root
|
||||||
|
Group=root
|
||||||
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
|
||||||
|
PrivateTmp=yes
|
||||||
|
ProtectSystem=strict
|
||||||
|
ProtectHome=read-only
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
Loading…
Reference in a new issue