~bigbes/shroud

shroud/dist/shroud.service -rw-r--r-- 1.5 KiB
32187908 — Eugene Blikh refactor: rename Go module to go.bigb.es/shroud a month ago 
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

[Unit]
Description=Shroud — Shadowsocks + AmneziaWG VPN Server
Documentation=https://sourcecraft.dev/bigbes/shroud
After=network-online.target nss-lookup.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/shroud -c /etc/shroud/config.yaml
Restart=on-failure
RestartSec=5
WatchdogSec=60

# Logging — stdout/stderr go straight to journald.
# View with: journalctl -u shroud -f
# Filter errors: journalctl -u shroud -p err
StandardOutput=journal
StandardError=journal
SyslogIdentifier=shroud

# File descriptors
LimitNOFILE=65536

# Run as dedicated user (created by install script)
User=shroud
Group=shroud

# Capabilities — needed for:
#   CAP_NET_BIND_SERVICE  — bind to ports < 1024 (AWG on 443, ACME on 80)
#   CAP_NET_ADMIN         — create/configure TUN device (AWG)
#   CAP_NET_RAW           — raw socket for UDP listeners
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_NET_RAW

# Security hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=no
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RemoveIPC=yes
SystemCallArchitectures=native

# Writable paths for state, certs, and TUN device
ReadWritePaths=/var/lib/shroud /etc/shroud /dev/net/tun

# Allow /dev/net/tun access for AWG
DeviceAllow=/dev/net/tun rw

[Install]
WantedBy=multi-user.target