i2pd/contrib/i2pd.service

[Unit]
Description=I2P Router written in C++
Documentation=man:i2pd(1) https://i2pd.readthedocs.io/en/latest/
After=network.target
ConditionFileIsExecutable=/usr/sbin/i2pd

[Service]
User=i2pd
Group=i2pd
PermissionsStartOnly=yes

RuntimeDirectory=i2pd
RuntimeDirectoryMode=0700
LogsDirectory=i2pd
LogsDirectoryMode=0700
Type=exec
Environment="DAEMON_OPTS=--conf=/etc/i2pd/i2pd.conf --tunconf=/etc/i2pd/tunnels.conf --tunnelsdir=/etc/i2pd/tunnels.conf.d --pidfile=/run/i2pd/i2pd.pid --logfile=/var/log/i2pd/i2pd.log --loglevel=error --service"
EnvironmentFile=-/etc/default/i2pd
ExecStart=/usr/sbin/i2pd $DAEMON_OPTS
ExecReload=/bin/sh -c "kill -HUP $MAINPID"
PIDFile=/run/i2pd/i2pd.pid
Restart=on-failure

KillSignal=SIGQUIT
# If you have the patience waiting 10 min on restarting/stopping it, uncomment this.
# i2pd stops accepting new tunnels and waits ~10 min while old ones do not die.
#KillSignal=SIGINT
#TimeoutStopSec=10m

LimitNOFILE=65536
# To enable write of coredump uncomment this
#LimitCORE=infinity

# Hardening
NoNewPrivileges=yes
PrivateTmp=yes
PrivateUsers=true
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ProtectClock=true
ProtectControlGroups=yes
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/i2pd
ReadWriteDirectories=-/var/log/i2pd
ReadWriteDirectories=-/run
CapabilityBoundingSet=
UMask=0077
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete

[Install]
WantedBy=multi-user.target
i2pd.service: do not block system shutdown for 10 min 2018-02-03 02:29:28 +08:00			`[Unit]`
			`Description=I2P Router written in C++`
			`Documentation=man:i2pd(1) https://i2pd.readthedocs.io/en/latest/`
			`After=network.target`
Hardening and more for the systemd service Performance improvements, auto-restart on failure to prevent unattended routers from shutting down by accident, and leveraging systemd's security features. 2020-09-18 10:22:32 +03:00			`ConditionFileIsExecutable=/usr/sbin/i2pd`
i2pd.service: do not block system shutdown for 10 min 2018-02-03 02:29:28 +08:00
			`[Service]`
			`User=i2pd`
			`Group=i2pd`
Hardening and more for the systemd service Performance improvements, auto-restart on failure to prevent unattended routers from shutting down by accident, and leveraging systemd's security features. 2020-09-18 10:22:32 +03:00			`PermissionsStartOnly=yes`

i2pd.service: do not block system shutdown for 10 min 2018-02-03 02:29:28 +08:00			`RuntimeDirectory=i2pd`
			`RuntimeDirectoryMode=0700`
Create LogsDirectory in i2pd.service Create /var/log/i2pd through LogsDirectory parameter of systemd and set its permission to 0700 through LogsDirectoryMode. Indeed, this directory must be created with the correct permission as it is used in ExecStart command Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> 2018-03-05 18:30:02 +01:00			`LogsDirectory=i2pd`
			`LogsDirectoryMode=0700`
Hardening and more for the systemd service Performance improvements, auto-restart on failure to prevent unattended routers from shutting down by accident, and leveraging systemd's security features. 2020-09-18 10:22:32 +03:00			`Type=exec`
change i2pd loglevel in systemd service 2020-09-18 17:20:03 +03:00			`Environment="DAEMON_OPTS=--conf=/etc/i2pd/i2pd.conf --tunconf=/etc/i2pd/tunnels.conf --tunnelsdir=/etc/i2pd/tunnels.conf.d --pidfile=/run/i2pd/i2pd.pid --logfile=/var/log/i2pd/i2pd.log --loglevel=error --service"`
Hardening and more for the systemd service Performance improvements, auto-restart on failure to prevent unattended routers from shutting down by accident, and leveraging systemd's security features. 2020-09-18 10:22:32 +03:00			`EnvironmentFile=-/etc/default/i2pd`
			`ExecStart=/usr/sbin/i2pd $DAEMON_OPTS`
Fix and update i2pd.service - /var/run on distros with systemd is a symlink to /run , hence the path changes. - Remove unnecessary runtime dependency on `/bin/kill` which is provided by `procps` and might not be available on minimal installs (e.g. containers). Instead use `/bin/sh` which has a built-in `kill`. - `PrivateDevices=yes` causes i2pd to fail to start on latest Debian unstable. Service exits with the following: ``` i2pd.service: Failed to execute command: Operation not permitted i2pd.service: Failed at step EXEC spawning /usr/sbin/i2pd: Operation not permitted i2pd.service: Control process exited, code=exited, status=203/EXEC i2pd.service: Failed with result 'exit-code'. Failed to start I2P Router written in C++. ``` According to `man systemd.exec` exit code 203 corresponds to the `execve(2)` system call failing. So it looks like i2pd tries to do something it shouldn't be doing. The proper fix would be in i2pd, but who knows how long that would actually take, so to allow people to actually launch i2pd in meanwhile the line has been removed from the service file. Also, surprisingly, right after installing i2pd it started without any problems, and only after restarting the box i2pd started to fail for no apparent reason. 2019-07-24 11:15:31 +01:00			`ExecReload=/bin/sh -c "kill -HUP $MAINPID"`
			`PIDFile=/run/i2pd/i2pd.pid`
fixing 2020-09-18 17:25:21 +03:00			`Restart=on-failure`
i2pd.service: do not block system shutdown for 10 min 2018-02-03 02:29:28 +08:00
			`KillSignal=SIGQUIT`
			`# If you have the patience waiting 10 min on restarting/stopping it, uncomment this.`
			`# i2pd stops accepting new tunnels and waits ~10 min while old ones do not die.`
			`#KillSignal=SIGINT`
			`#TimeoutStopSec=10m`

Hardening and more for the systemd service Performance improvements, auto-restart on failure to prevent unattended routers from shutting down by accident, and leveraging systemd's security features. 2020-09-18 10:22:32 +03:00			`LimitNOFILE=65536`
add tunnels.d to packages 2018-11-06 20:04:26 +03:00			`# To enable write of coredump uncomment this`
			`#LimitCORE=infinity`
i2pd.service: do not block system shutdown for 10 min 2018-02-03 02:29:28 +08:00
Hardening and more for the systemd service Performance improvements, auto-restart on failure to prevent unattended routers from shutting down by accident, and leveraging systemd's security features. 2020-09-18 10:22:32 +03:00			`# Hardening`
			`NoNewPrivileges=yes`
			`PrivateTmp=yes`
			`PrivateUsers=true`
			`PrivateDevices=yes`
			`ProtectHome=yes`
			`ProtectSystem=full`
			`ProtectClock=true`
			`ProtectControlGroups=yes`
			`ProtectHostname=true`
			`ProtectKernelLogs=true`
			`ProtectKernelModules=yes`
			`ProtectKernelTunables=yes`
			`ProtectSystem=strict`
			`RestrictAddressFamilies=AF_INET AF_INET6`
more hardening 2020-09-18 18:20:05 +03:00			`RestrictNamespaces=true`
Hardening and more for the systemd service Performance improvements, auto-restart on failure to prevent unattended routers from shutting down by accident, and leveraging systemd's security features. 2020-09-18 10:22:32 +03:00			`RestrictRealtime=true`
			`RestrictSUIDSGID=true`
			`RemoveIPC=true`
			`ReadOnlyDirectories=/`
			`ReadWriteDirectories=-/var/lib/i2pd`
			`ReadWriteDirectories=-/var/log/i2pd`
			`ReadWriteDirectories=-/run`
			`CapabilityBoundingSet=`
more hardening 2020-09-18 18:20:05 +03:00			`UMask=0077`
			`LockPersonality=true`
			`MemoryDenyWriteExecute=true`
			`SystemCallArchitectures=native`
			`SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete`
Hardening and more for the systemd service Performance improvements, auto-restart on failure to prevent unattended routers from shutting down by accident, and leveraging systemd's security features. 2020-09-18 10:22:32 +03:00
i2pd.service: do not block system shutdown for 10 min 2018-02-03 02:29:28 +08:00			`[Install]`
			`WantedBy=multi-user.target`