From b84331c3ceb39704e5653317cd6f5627bbf4369b Mon Sep 17 00:00:00 2001
From: Julian Rother <julian@jrother.eu>
Date: Tue, 22 Feb 2022 00:57:58 +0100
Subject: [PATCH] Debian: Add SystemD template units for UNIX socket instances

---
 debian/uffd-ldapd@.service | 42 ++++++++++++++++++++++++++++++++++++++
 debian/uffd-ldapd@.socket  |  8 ++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 debian/uffd-ldapd@.service
 create mode 100644 debian/uffd-ldapd@.socket

diff --git a/debian/uffd-ldapd@.service b/debian/uffd-ldapd@.service
new file mode 100644
index 0000000..0e3a551
--- /dev/null
+++ b/debian/uffd-ldapd@.service
@@ -0,0 +1,42 @@
+[Unit]
+Description=Proxy server to provide uffd user and group data via LDAP
+After=network.target
+BindsTo=uffd-ldapd@%I.socket
+
+[Service]
+ExecStart=/usr/sbin/uffd-ldapd --socket-fd 3
+
+Restart=always
+RestartSec=10
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=uffd-ldapd
+
+DynamicUser=true
+PrivateUsers=true
+CapabilityBoundingSet=
+NoNewPrivileges=true
+RemoveIPC=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectClock=true
+ProtectHostname=true
+ProtectProc=noaccess
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+EnvironmentFile=/etc/uffd-ldapd-%I.conf
+
+[Install]
+WantedBy=default.target
diff --git a/debian/uffd-ldapd@.socket b/debian/uffd-ldapd@.socket
new file mode 100644
index 0000000..cb22ee1
--- /dev/null
+++ b/debian/uffd-ldapd@.socket
@@ -0,0 +1,8 @@
+[Unit]
+Description=Proxy server to provide uffd user and group data via LDAP
+
+[Socket]
+ListenStream=/var/run/uffd-ldapd-%I.sock
+
+[Install]
+WantedBy=sockets.target
-- 
GitLab