wg-netns/extras/wg-netns@.service

[Unit]
Description=WireGuard Network Namespace (%i)
Wants=network-online.target nss-lookup.target
After=network-online.target nss-lookup.target

[Service]
Type=oneshot
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
Environment=WG_VERBOSE=1
ExecStart=wg-netns up %i
ExecStop=wg-netns down %i
RemainAfterExit=yes

WorkingDirectory=%E/wireguard
ConfigurationDirectory=wireguard
ConfigurationDirectoryMode=0700
ReadOnlyPaths=%E/wireguard
ReadWritePaths=%E/netns

CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN
LimitNOFILE=4096
LimitNPROC=512
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateMounts=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=noaccess
ProtectSystem=strict
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=mnt net
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target
provide optional systemd service 2020-11-15 16:13:46 +00:00			`[Unit]`
			`Description=WireGuard Network Namespace (%i)`
			`Wants=network-online.target nss-lookup.target`
			`After=network-online.target nss-lookup.target`

			`[Service]`
			`Type=oneshot`
			`Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity`
rewrite with dataclasses Adds 'managed' option and yaml support, renames env vars and can load profiles by name. Closes #4. 2022-01-25 23:10:17 +00:00			`Environment=WG_VERBOSE=1`
			`ExecStart=wg-netns up %i`
			`ExecStop=wg-netns down %i`
rewrite for v1 Allow multiple interfaces per namespace. Change configuration format to json. 2020-12-06 21:53:31 +00:00			`RemainAfterExit=yes`
provide optional systemd service 2020-11-15 16:13:46 +00:00
rewrite with dataclasses Adds 'managed' option and yaml support, renames env vars and can load profiles by name. Closes #4. 2022-01-25 23:10:17 +00:00			`WorkingDirectory=%E/wireguard`
			`ConfigurationDirectory=wireguard`
systemd: harden service Resolves #13, closes #16. 2023-05-23 06:57:58 +00:00			`ConfigurationDirectoryMode=0700`
			`ReadOnlyPaths=%E/wireguard`
			`ReadWritePaths=%E/netns`

			`CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN`
			`LimitNOFILE=4096`
			`LimitNPROC=512`
			`LockPersonality=true`
			`MemoryDenyWriteExecute=true`
			`NoNewPrivileges=true`
			`PrivateDevices=true`
			`PrivateMounts=true`
			`PrivateTmp=true`
			`ProcSubset=pid`
			`ProtectClock=true`
			`ProtectControlGroups=true`
			`ProtectHome=true`
			`ProtectHostname=true`
			`ProtectKernelLogs=true`
			`ProtectKernelModules=true`
			`ProtectKernelTunables=true`
			`ProtectProc=noaccess`
			`ProtectSystem=strict`
			`RemoveIPC=true`
			`RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK`
			`RestrictNamespaces=mnt net`
			`RestrictRealtime=true`
			`RestrictSUIDSGID=true`
			`SystemCallArchitectures=native`
add setup script 2021-05-28 09:31:21 +00:00
provide optional systemd service 2020-11-15 16:13:46 +00:00			`[Install]`
			`WantedBy=multi-user.target`