#
# Replace /var/lib/djbdns if needed
#

[Unit]
Description=tinydns DNS resolver
Documentation=man:tinydns
Documentation=https://cr.yp.to/djbdns.html
After=network.target
Requires=network.target
Wants=network.target
ConditionPathExists=/var/lib/djbdns

[Service]
Type=forking
PIDFile=/run/tinydns.pid
Environment="ROOT=/var/lib/djbdns"
ExecStart=/usr/bin/tinydns
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry=TERM/5/KILL/5 --pidfile /run/tinydns.pid
TimeoutStopSec=30
KillMode=mixed

PermissionsStartOnly=true
Restart=on-abnormal
RestartSec=2s
LimitNOFILE=65536

WorkingDirectory=/var/lib/djbdns
User=$ug_name
Group=$ug_name

# Hardening
# CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FOWNER
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
# TODO: restrict ReadOnlyDirectories
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/djbdns

[Install]
WantedBy=multi-user.target