X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?p=ngircd-alex.git;a=blobdiff_plain;f=contrib%2Fngircd.service;h=e4c30e2525407b4523452792e695ab145d136b22;hp=b5bab060b1f69d807c96a52ff1bfbff186c71a5f;hb=HEAD;hpb=f37600ee01f6cfd86e8fa80f77ee26ebaf3012b2

diff --git a/contrib/ngircd.service b/contrib/ngircd.service
index b5bab060..311bc0d8 100644
--- a/contrib/ngircd.service
+++ b/contrib/ngircd.service
@@ -1,11 +1,48 @@
+# ngIRCd systemd service unit.
+# See systemd(1), systemd.unit(5), systemd.service(5), systemd.exec(5).
+
 [Unit]
 Description=Next Generation IRC Daemon
+Documentation=man:ngircd(8) man:ngircd.conf(5) https://ngircd.barton.de
 After=network.target
+Wants=anope.service atheme.service irc-services.service
+Wants=bopm.service hopm.service
+Before=anope.service atheme.service irc-services.service
+Before=bopm.service hopm.service
 
 [Service]
-# don't daemonize to simplify stuff
-ExecStart=/usr/sbin/ngircd -n
+Type=notify
+User=irc
+Group=irc
+# Settings & limits:
+CapabilityBoundingSet=CAP_SYS_CHROOT CAP_NET_BIND_SERVICE
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=full
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictRealtime=yes
+RuntimeDirectory=ircd
+RuntimeDirectoryMode=750
+StandardError=journal
+StandardOutput=journal
+# Try to load "default files" from any Debian package variant to keep this
+# unit generic.
+EnvironmentFile=-/etc/default/ngircd
+EnvironmentFile=-/etc/default/ngircd-full
+EnvironmentFile=-/etc/default/ngircd-full-dbg
+# Start ngIRCd. Note: systemd doesn't allow to use $DAEMON here!
+ExecStart=/usr/sbin/ngircd --nodaemon --syslog $PARAMS
 ExecReload=/bin/kill -HUP $MAINPID
+# Error handling:
+# ngIRCd tries to "ping" the service manager every 3 seconds.
+WatchdogSec=10
+Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target