From 3d6c1df14926517b85187f00dd874a652897d455 Mon Sep 17 00:00:00 2001
From: Marco d'Itri <md@linux.it>
Date: Thu, 20 Feb 2025 21:43:19 +0100
Subject: [PATCH] Add a systemd service unit for the ircd

This unit has extensive sandboxing enabled, to reduce the system's attack surface.
---
 contrib/ircd.service | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 contrib/ircd.service

diff --git a/contrib/ircd.service b/contrib/ircd.service
new file mode 100644
index 00000000..de2c3461
--- /dev/null
+++ b/contrib/ircd.service
@@ -0,0 +1,34 @@
+[Unit]
+Description=IRCNet IRC daemon
+After=network.target
+
+[Service]
+Type=exec
+ExecStart=/home/ircnet/ircd/sbin/ircd -t
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+User=ircnet
+ReadOnlyPaths=/home/ircnet/ircd/
+ReadWritePaths=/home/ircnet/ircd/var/
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target