[Unit]
Description=BIND Domain Name Server in chroot
Documentation=man:named(8)
After=network.target local-fs.target
Wants=nss-lookup.target
Before=nss-lookup.target
PartOf=chr-named.target

[Service]
EnvironmentFile=/chroot/named/etc/default/bind9
RootDirectory=/chroot/named
RootDirectoryStartOnly=no
ExecStart=/usr/sbin/named -f $OPTIONS
ExecReload=/usr/sbin/rndc reload
ExecStop=/usr/sbin/rndc stop


PrivateTmp=true
MountAPIVFS=true
NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
ProtectHome=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
#LockPersonality=yes
#ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/named
ReadWritePaths=/chroot/named/var/cache/bind
ReadWritePaths=/chroot/named/run
InaccessiblePaths=/chroot/named/boot /chroot/named/sys /chroot/named/proc

# run
BindPaths=/chroot/named/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind


[Install]
#WantedBy=multi-user.target
WantedBy=chr-named.target