From 3d6c1df14926517b85187f00dd874a652897d455 Mon Sep 17 00:00:00 2001 From: Marco d'Itri Date: Thu, 20 Feb 2025 21:43:19 +0100 Subject: [PATCH 1/2] Add a systemd service unit for the ircd This unit has extensive sandboxing enabled, to reduce the system's attack surface. --- contrib/ircd.service | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 contrib/ircd.service diff --git a/contrib/ircd.service b/contrib/ircd.service new file mode 100644 index 00000000..de2c3461 --- /dev/null +++ b/contrib/ircd.service @@ -0,0 +1,34 @@ +[Unit] +Description=IRCNet IRC daemon +After=network.target + +[Service] +Type=exec +ExecStart=/home/ircnet/ircd/sbin/ircd -t +ExecReload=/bin/kill -HUP $MAINPID +Restart=on-failure +User=ircnet +ReadOnlyPaths=/home/ircnet/ircd/ +ReadWritePaths=/home/ircnet/ircd/var/ +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service + +[Install] +WantedBy=multi-user.target From c9181781806014c0af019316bf9477905db88ae9 Mon Sep 17 00:00:00 2001 From: Patrick Date: Sat, 31 Jan 2026 12:45:09 +0100 Subject: [PATCH 2/2] Add a systemd service unit for the ircd - use more common paths/user, added Wants, After and LimitCORE --- contrib/ircd.service | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/contrib/ircd.service b/contrib/ircd.service index de2c3461..f65c2ad4 100644 --- a/contrib/ircd.service +++ b/contrib/ircd.service @@ -1,15 +1,20 @@ [Unit] -Description=IRCNet IRC daemon -After=network.target +Description=IRC daemon +Wants=network-online.target +After=network-online.target network.target [Service] Type=exec -ExecStart=/home/ircnet/ircd/sbin/ircd -t +WorkingDirectory=/home/ircd/irc +ExecStart=/home/ircd/irc/sbin/ircd -t ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure -User=ircnet -ReadOnlyPaths=/home/ircnet/ircd/ -ReadWritePaths=/home/ircnet/ircd/var/ +RestartSec=2 +User=ircd +Group=ircd +LimitCORE=infinity +ReadOnlyPaths=/home/ircd/irc/ +ReadWritePaths=/home/ircd/irc/var/ PrivateDevices=yes PrivateTmp=yes ProtectClock=yes