1*561252a2Schristos; This unit file is provided to run unbound as portable service. 2*561252a2Schristos; https://systemd.io/PORTABLE_SERVICES/ 3*561252a2Schristos; 4*561252a2Schristos; To use this unit file, please make sure you either compile unbound with the 5*561252a2Schristos; following options: 6*561252a2Schristos; 7*561252a2Schristos; - --with-chroot-dir="" 8*561252a2Schristos; 9*561252a2Schristos; Or put the following options in your unbound configuration file: 10*561252a2Schristos; 11*561252a2Schristos; - chroot: "" 12*561252a2Schristos; 13*561252a2Schristos; 14*561252a2Schristos[Unit] 15*561252a2SchristosDescription=Validating, recursive, and caching DNS resolver 16*561252a2SchristosDocumentation=man:unbound(8) 17*561252a2SchristosAfter=network.target 18*561252a2SchristosBefore=network-online.target nss-lookup.target 19*561252a2SchristosWants=nss-lookup.target 20*561252a2Schristos 21*561252a2Schristos[Install] 22*561252a2SchristosWantedBy=multi-user.target 23*561252a2Schristos 24*561252a2Schristos[Service] 25*561252a2SchristosExecReload=+/bin/kill -HUP $MAINPID 26*561252a2SchristosExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p 27*561252a2SchristosNotifyAccess=main 28*561252a2SchristosType=notify 29*561252a2SchristosCapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW 30*561252a2SchristosMemoryDenyWriteExecute=true 31*561252a2SchristosNoNewPrivileges=true 32*561252a2SchristosPrivateDevices=true 33*561252a2SchristosPrivateTmp=true 34*561252a2SchristosProtectHome=true 35*561252a2SchristosProtectControlGroups=true 36*561252a2SchristosProtectKernelModules=true 37*561252a2SchristosProtectSystem=strict 38*561252a2SchristosRuntimeDirectory=unbound 39*561252a2SchristosConfigurationDirectory=unbound 40*561252a2SchristosStateDirectory=unbound 41*561252a2SchristosRestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX 42*561252a2SchristosRestrictRealtime=true 43*561252a2SchristosSystemCallArchitectures=native 44*561252a2SchristosSystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources 45*561252a2SchristosRestrictNamespaces=yes 46*561252a2SchristosLockPersonality=yes 47*561252a2SchristosRestrictSUIDSGID=yes 48*561252a2SchristosBindPaths=/run/systemd/notify 49*561252a2SchristosBindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout 50