From ed62cc884dfcc6ac911bce0be4880917840bc1aa Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 17 Jul 2016 11:41:38 +0200
Subject: [PATCH] systemd rules for closely-supervised knot-resolver service

This is a fully-socket-activated knot-resolver service that can run as
a non-priivleged user named knot-resolver.
---
 .gitignore                           |  1 -
 systemd/knot-resolver-control.socket | 13 +++++++++++++
 systemd/knot-resolver.service        | 14 ++++++++++++++
 systemd/knot-resolver.socket         | 13 +++++++++++++
 systemd/tmpfiles/knot-resolver.conf  |  7 +++++++
 5 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 systemd/knot-resolver-control.socket
 create mode 100644 systemd/knot-resolver.service
 create mode 100644 systemd/knot-resolver.socket
 create mode 100644 systemd/tmpfiles/knot-resolver.conf

diff --git a/.gitignore b/.gitignore
index d5c14f297..7579e2896 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,7 +23,6 @@
 .libs
 .deps
 _obj
-tmp*
 /autom4te.cache/*
 /config.log
 /config.h
diff --git a/systemd/knot-resolver-control.socket b/systemd/knot-resolver-control.socket
new file mode 100644
index 000000000..9f1976e8e
--- /dev/null
+++ b/systemd/knot-resolver-control.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=Knot DNS Resolver control socket
+Documentation=man:kresd(8)
+Before=sockets.target
+
+[Socket]
+ListenStream=/run/knot-resolver/control
+FileDescriptorName=control
+Service=knot-resolver.service
+SocketMode=0660
+
+[Install]
+WantedBy=sockets.target
diff --git a/systemd/knot-resolver.service b/systemd/knot-resolver.service
new file mode 100644
index 000000000..927b06a6e
--- /dev/null
+++ b/systemd/knot-resolver.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Knot DNS Resolver daemon
+## This is a socket-activated service:
+RefuseManualStart=true
+
+[Service]
+Type=notify
+WorkingDirectory=/run/knot-resolver/cache
+ExecStart=/usr/sbin/kresd
+User=knot-resolver
+Restart=on-failure
+
+[Install]
+WantedBy=sockets.target
diff --git a/systemd/knot-resolver.socket b/systemd/knot-resolver.socket
new file mode 100644
index 000000000..7d8953c23
--- /dev/null
+++ b/systemd/knot-resolver.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=Knot DNS Resolver network listeners
+Documentation=man:kresd(8)
+Before=sockets.target
+
+[Socket]
+ListenStream=[::1]:53
+ListenDatagram=[::1]:53
+ListenStream=127.0.0.1:53
+ListenDatagram=127.0.0.1:53
+
+[Install]
+WantedBy=sockets.target
diff --git a/systemd/tmpfiles/knot-resolver.conf b/systemd/tmpfiles/knot-resolver.conf
new file mode 100644
index 000000000..6006f030e
--- /dev/null
+++ b/systemd/tmpfiles/knot-resolver.conf
@@ -0,0 +1,7 @@
+# tmpfiles.d(5) runtime directory for knot-resolver (kresd)
+#Type Path                            Mode UID           GID          Age Argument
+    d /run/knot-resolver              0750 root          root          -   -
+    d /run/knot-resolver/cache        0750 knot-resolver knot-resolver -   -
+    L /run/knot-resolver/cache/config 0750 knot-resolver knot-resolver -   /etc/knot-resolver/kresd.conf
+
+
-- 
GitLab