# Example systemd service unit for nfqws. Adjust for your installation.

# WARNING ! This unit requires to compile nfqws using `make systemd`
# WARNING ! This makefile target enables special systemd notify support.

# PREPARE
# install build depends
# make -C /opt/zapret2 systemd
# cp nfqws2\@.service /lib/systemd/system
# systemctl daemon-reload

# MANAGE INSTANCE
# prepare /etc/zapret2/nfqws1.conf with nfqws parameters
# systemctl start nfqws2@nfqws1
# systemctl status nfqws2@nfqws1
# systemctl restart nfqws2@nfqws1
# systemctl enable nfqws2@nfqws1
# systemctl disable nfqws2@nfqws1
# systemctl stop nfqws2@nfqws1

# DELETE
# rm /lib/systemd/system/nfqws@.service
# systemctl daemon-reload


[Unit]
After=network.target

[Service]
Type=notify
Restart=on-failure

ExecSearchPath=/opt/zapret2/nfq2
ExecStart=nfqws2 @${CONFIG_DIR}/${INSTANCE}.conf
Environment=CONFIG_DIR=/etc/zapret2
Environment=INSTANCE=%i

RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET

LockPersonality=true
MemoryDenyWriteExecute=true
PrivateDevices=true
PrivateMounts=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=full
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
UMask=0077

[Install]
WantedBy=multi-user.target