[Unit] Description=AdGuardHome: Network-level blocker ConditionFileIsExecutable=__INSTALL_DIR__/AdGuardHome After=syslog.target network-online.target nginx.service [Service] Type=simple User=__APP__ Group=__APP__ StartLimitInterval=5 StartLimitBurst=10 WorkingDirectory=__INSTALL_DIR__/ ExecStart=__INSTALL_DIR__/AdGuardHome --no-check-update Restart=always RestartSec=10 #EnvironmentFile=-/etc/sysconfig/AdGuardHome # Sandboxing options to harden security # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html NoNewPrivileges=no PrivateTmp=yes PrivateDevices=no RestrictNamespaces=no RestrictRealtime=no DevicePolicy=closed ProtectClock=no ProtectHostname=no ProtectProc=invisible ProtectSystem=full ProtectControlGroups=yes ProtectKernelModules=no ProtectKernelTunables=no LockPersonality=no SystemCallFilter= # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] WantedBy=multi-user.target