[Unit] Description=OpenBSD Secure Shell server (deploy chroot) After=network.target auditd.service local-fs.target ConditionPathExists=!/chroot/deploy/etc/ssh/sshd_not_to_be_run PartOf=chr-deploy.target [Service] RootDirectory=/chroot/deploy RootDirectoryStartOnly=no EnvironmentFile=-/chroot/deploy/etc/default/ssh ExecStartPre=/usr/sbin/sshd-deploy -t ExecStart=/usr/sbin/sshd-deploy -D $SSHD_OPTS ExecReload=/usr/sbin/sshd-deploy -t ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure RestartPreventExitStatus=255 Type=notify RuntimeDirectory=sshd RuntimeDirectoryMode=0755 MountAPIVFS=true NoNewPrivileges=true PrivateDevices=true DevicePolicy=closed ProtectSystem=full ProtectKernelTunables=true ProtectKernelModules=true ProtectKernelLogs=true ProtectProc=invisible ProtectHostname=true ProtectClock=true ProcSubset=pid ProtectControlGroups=true #RestrictAddressFamilies=AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK #RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK #CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH #CapabilityBoundingSet=CAP_SYS_ADMIN CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_SYS_CHROOT CAP_SETUID CAP_SETGID CAP_SYS_ADMIN CAP_AUDIT_WRITE CAP_SYS_RESOURCE #RestrictNamespaces=uts ipc pid user cgroup #RestrictNamespaces=yes RestrictNamespaces=mnt RestrictRealtime=yes RestrictSUIDSGID=yes #MemoryDenyWriteExecute=yes LockPersonality=yes #SystemCallFilter=@system-service #SystemCallErrorNumber=EPERM ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc ReadOnlyPaths=/chroot/deploy ReadWritePaths=/chroot/deploy/var /chroot/deploy/home /chroot/deploy/web InaccessiblePaths=/chroot/deploy/boot /chroot/deploy/sys PrivateNetwork=yes # This tells systemd to pass the socket file descriptor to sshd. # Modern sshd can inherit sockets from systemd automatically. NonBlocking=yes # run BindPaths=/chroot/deploy/run:/run:norbind # log, systemd notify BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind # mysql (root) BindPaths=-/run/mysqld:/run/mysqld:norbind # the web dir BindPaths=/srv/web:/srv/web:norbind #BindPaths=/run/systemd:/run/systemd:norbind /run/dbus:/run/dbus:norbind #ReadWritePaths=/web /chroot/deploy/web [Install] #WantedBy=multi-user.target WantedBy=chr-deploy.target Alias=sshd-deploy.service