1762909a6Schristos[Unit] 2762909a6SchristosDescription=Validating, recursive, and caching DNS resolver 3762909a6SchristosDocumentation=man:unbound(8) 49295812bSchristosAfter=network.target 59295812bSchristosBefore=network-online.target nss-lookup.target 69295812bSchristosWants=nss-lookup.target 7762909a6Schristos 8762909a6Schristos[Install] 9762909a6SchristosWantedBy=multi-user.target 10762909a6Schristos 11762909a6Schristos[Service] 12*f337475aSchristosExecReload=+/bin/kill -HUP $MAINPID 13*f337475aSchristosExecStart=@UNBOUND_SBIN_DIR@/unbound -d 14762909a6SchristosNotifyAccess=main 15762909a6SchristosType=notify 16*f337475aSchristosCapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW 17762909a6SchristosMemoryDenyWriteExecute=true 18762909a6SchristosNoNewPrivileges=true 19762909a6SchristosPrivateDevices=true 20762909a6SchristosPrivateTmp=true 21762909a6SchristosProtectHome=true 22762909a6SchristosProtectControlGroups=true 23762909a6SchristosProtectKernelModules=true 24762909a6SchristosProtectSystem=strict 25*f337475aSchristosReadWritePaths=/run @UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ 26*f337475aSchristosTemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro 27*f337475aSchristosTemporaryFileSystem=@UNBOUND_CHROOT_DIR@/run:ro 28*f337475aSchristosBindReadOnlyPaths=-/run/systemd/notify:@UNBOUND_CHROOT_DIR@/run/systemd/notify 29*f337475aSchristosBindPaths=-@UNBOUND_PIDFILE@:@UNBOUND_CHROOT_DIR@@UNBOUND_PIDFILE@ 30*f337475aSchristosBindReadOnlyPaths=-/dev/urandom:@UNBOUND_CHROOT_DIR@/dev/urandom 31*f337475aSchristosBindPaths=-/dev/log:@UNBOUND_CHROOT_DIR@/dev/log 329295812bSchristosRestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX 33762909a6SchristosRestrictRealtime=true 34762909a6SchristosSystemCallArchitectures=native 35762909a6SchristosSystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources 36*f337475aSchristosRestrictNamespaces=yes 37*f337475aSchristosLockPersonality=yes 38*f337475aSchristosRestrictSUIDSGID=yes 39