1*762909a6Schristos[Unit] 2*762909a6SchristosDescription=Validating, recursive, and caching DNS resolver 3*762909a6SchristosDocumentation=man:unbound(8) 4*762909a6Schristos 5*762909a6Schristos[Install] 6*762909a6SchristosWantedBy=multi-user.target 7*762909a6Schristos 8*762909a6Schristos[Service] 9*762909a6SchristosExecReload=/bin/kill -HUP $MAINPID 10*762909a6SchristosExecStart=@UNBOUND_SBIN_DIR@/unbound 11*762909a6SchristosNotifyAccess=main 12*762909a6SchristosType=notify 13*762909a6SchristosCapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT 14*762909a6SchristosMemoryDenyWriteExecute=true 15*762909a6SchristosNoNewPrivileges=true 16*762909a6SchristosPrivateDevices=true 17*762909a6SchristosPrivateTmp=true 18*762909a6SchristosProtectHome=true 19*762909a6SchristosProtectControlGroups=true 20*762909a6SchristosProtectKernelModules=true 21*762909a6SchristosProtectKernelTunables=true 22*762909a6SchristosProtectSystem=strict 23*762909a6SchristosReadWritePaths=@UNBOUND_SYSCONF_DIR@ @UNBOUND_LOCALSTATE_DIR@ /run @UNBOUND_RUN_DIR@ 24*762909a6SchristosRestrictAddressFamilies=AF_INET AF_UNIX 25*762909a6SchristosRestrictRealtime=true 26*762909a6SchristosSystemCallArchitectures=native 27*762909a6SchristosSystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources 28*762909a6Schristos 29