2015-03-12 18:11:53 +01:00
|
|
|
# tor.service -- this systemd configuration file for Tor sets up a
|
|
|
|
# relatively conservative, hardened Tor service. You may need to
|
|
|
|
# edit it if you are making changes to your Tor configuration that it
|
|
|
|
# does not allow. Package maintainers: this should be a starting point
|
|
|
|
# for your tor.service; it is not the last point.
|
|
|
|
|
2014-04-21 15:47:44 +02:00
|
|
|
[Unit]
|
|
|
|
Description = Anonymizing overlay network for TCP
|
|
|
|
After = syslog.target network.target nss-lookup.target
|
|
|
|
|
2015-03-17 15:54:38 +01:00
|
|
|
[Service] Type = notify NotifyAccess = all ExecStartPre = @BINDIR@/tor
|
|
|
|
-f @CONFDIR@/torrc --verify-config ExecStart = @BINDIR@/tor -f
|
|
|
|
@CONFDIR@/torrc ExecReload = /bin/kill -HUP ${MAINPID} KillSignal =
|
|
|
|
SIGINT TimeoutSec = 30 Restart = on-failure WatchdogSec = 1m
|
2014-04-21 15:47:44 +02:00
|
|
|
LimitNOFILE = 32768
|
|
|
|
|
|
|
|
# Hardening
|
|
|
|
PrivateTmp = yes
|
2014-11-28 18:36:17 +01:00
|
|
|
PrivateDevices = yes
|
2014-11-28 18:36:56 +01:00
|
|
|
ProtectHome = yes
|
2014-11-28 18:41:23 +01:00
|
|
|
ProtectSystem = full
|
2014-08-27 05:05:12 +02:00
|
|
|
ReadOnlyDirectories = /
|
2014-11-28 18:38:40 +01:00
|
|
|
ReadWriteDirectories = -@LOCALSTATEDIR@/lib/tor
|
|
|
|
ReadWriteDirectories = -@LOCALSTATEDIR@/log/tor
|
2014-08-27 05:18:26 +02:00
|
|
|
NoNewPrivileges = yes
|
2015-01-11 17:26:08 +01:00
|
|
|
CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
|
2014-04-21 15:47:44 +02:00
|
|
|
|
|
|
|
[Install]
|
|
|
|
WantedBy = multi-user.target
|