summaryrefslogtreecommitdiffstats
path: root/roles/common/files/etc/systemd/system/stunnel4@.service
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/files/etc/systemd/system/stunnel4@.service')
-rw-r--r--roles/common/files/etc/systemd/system/stunnel4@.service32
1 files changed, 32 insertions, 0 deletions
diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service
new file mode 100644
index 0000000..4d69702
--- /dev/null
+++ b/roles/common/files/etc/systemd/system/stunnel4@.service
@@ -0,0 +1,32 @@
+[Unit]
+Description=SSL tunnel for network daemons (instance %i)
+Documentation=man:stunnel4(8)
+After=network.target nss-lookup.target
+PartOf=stunnel4.service
+ReloadPropagatedFrom=stunnel4.service
+
+[Service]
+DynamicUser=yes
+; force dynamic user/group allocation (stunnel4 user exists already)
+User=_stunnel4-%i
+Group=_stunnel4-%i
+ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf
+ExecReload=/bin/kill -HUP ${MAINPID}
+KillSignal=SIGINT
+TimeoutStartSec=120
+TimeoutStopSec=60
+Restart=on-failure
+
+# Hardening
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_INET AF_INET6
+
+[Install]
+WantedBy=multi-user.target
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 10:06:47 +0000