+# ngIRCd systemd service unit.
+# See systemd(1), systemd.unit(5), systemd.service(5), systemd.exec(5).
+
[Unit]
Description=Next Generation IRC Daemon
Documentation=man:ngircd(8) man:ngircd.conf(5) https://ngircd.barton.de
After=network.target
+Wants=anope.service atheme.service irc-services.service
+Wants=bopm.service
+Before=anope.service atheme.service irc-services.service
+Before=bopm.service
[Service]
Type=forking
User=irc
Group=irc
+# Settings & limits:
CapabilityBoundingSet=CAP_SYS_CHROOT CAP_NET_BIND_SERVICE
-PrivateTmp=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
ProtectSystem=full
-ProtectHome=true
-NoNewPrivileges=true
-RestrictAddressFamilies=AF_INET AF_INET6
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictRealtime=yes
RuntimeDirectory=ircd
RuntimeDirectoryMode=750
+# Try to load "default files" from any Debian package variant to keep this
+# unit generic.
EnvironmentFile=-/etc/default/ngircd
EnvironmentFile=-/etc/default/ngircd-full
EnvironmentFile=-/etc/default/ngircd-full-dbg
+# Start ngIRCd. Note: systemd doesn't allow to use $DAEMON here!
ExecStart=/usr/sbin/ngircd $PARAMS
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure