c/ooni-probe-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0c48bc0746
ooni-probe-cli/debian/ooniprobe-cli.service
Federico Ceratto 8df91ecb1b
debian: run as a daemon, ask informed consent (#162) 
* Set verbose mode, depend on adduser

* Run as daemon

* Generate manpage

* Implement informed consent

* Set version

* Switch format to native

* Set environment

* Update packaging

* Create test and release pipelines

* Update debian/ooniprobe-cli.service

Co-authored-by: Simone Basso <bassosimone@gmail.com>

* Update debian/ooniprobe-cli.service

Co-authored-by: Simone Basso <bassosimone@gmail.com>

* Update debian/ooniprobe.conf.disabled

Co-authored-by: Simone Basso <bassosimone@gmail.com>

* fix(linux-debian-packages): build also on pull requests

Otherwise there's no way for us to test :^).

* fix(debian/control): ubuntu 20.04 has debhelper 12

See https://packages.ubuntu.com/focal/debhelper

* fix(debian/control): debhelper-compat relations doesn't work the way I thought

* Update debian/ooniprobe-cli.timer

Co-authored-by: Simone Basso <bassosimone@gmail.com>
2020-12-15 13:05:13 +01:00

52 lines
1.2 KiB
Desktop File
Raw Blame History

[Unit]
Description=OONI Probe CLI
Documentation=man:ooniprobe-cli
#Documentation=file:///usr/share/doc/ooniprobe-cli/html/index.html
Documentation=https://ooni.org/
After=network.target tor.target
Wants=network-online.target
ConditionPathExists=/etc/ooniprobe/ooniprobe.conf
[Service]
Type=simple
ExecStart=/usr/bin/ooniprobe --config=/etc/ooniprobe/ooniprobe.conf run unattended
TimeoutStopSec=5
KillMode=mixed
Environment="OONI_HOME=/var/lib/ooniprobe"
User=ooniprobe
PermissionsStartOnly=true
Restart=on-abnormal
RestartSec=2s
LimitNOFILE=65536
WorkingDirectory=/var/lib/ooniprobe
# Sandboxing
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
LockPersonality=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/proc
ReadWriteDirectories=-/var/log/ooniprobe
ReadWriteDirectories=-/var/lib/ooniprobe
ReadWriteDirectories=-/var/run
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink