artakvg/gist:b97a78932a8c0f15e8e6411e3469d39d

## gistfile1.txt

#  SPDX-License-Identifier: LGPL-2.1-or-later
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Network Configuration
Documentation=man:systemd-networkd.service(8)
Documentation=man:org.freedesktop.network1(5)
ConditionCapability=CAP_NET_ADMIN
DefaultDependencies=no
# systemd-udevd.service can be dropped once tuntap is moved to netlink
After=systemd-networkd.socket systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
Before=network.target multi-user.target shutdown.target initrd-switch-root.target
Conflicts=shutdown.target initrd-switch-root.target
Wants=systemd-networkd.socket network.target

[Service]
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
BusName=org.freedesktop.network1
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
DeviceAllow=char-* rw
ExecStart=!!/lib/systemd/systemd-networkd
ExecReload=networkctl reload
FileDescriptorStoreMax=512
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
ProtectProc=invisible
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectSystem=strict
Restart=on-failure
RestartKillSignal=SIGUSR2
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/netif
RuntimeDirectoryPreserve=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
Type=notify
User=systemd-network
WatchdogSec=3min

[Install]
WantedBy=multi-user.target
Also=systemd-networkd.socket
Alias=dbus-org.freedesktop.network1.service

# The output from this generator is used by udevd and networkd. Enable it by
# default when enabling systemd-networkd.service.
Also=systemd-network-generator.service

# We want to enable systemd-networkd-wait-online.service whenever this service
# is enabled. systemd-networkd-wait-online.service has
# WantedBy=network-online.target, so enabling it only has an effect if
# network-online.target itself is enabled or pulled in by some other unit.
Also=systemd-networkd-wait-online.service

	# SPDX-License-Identifier: LGPL-2.1-or-later
	#
	# This file is part of systemd.
	#
	# systemd is free software; you can redistribute it and/or modify it
	# under the terms of the GNU Lesser General Public License as published by
	# the Free Software Foundation; either version 2.1 of the License, or
	# (at your option) any later version.

	[Unit]
	Description=Network Configuration
	Documentation=man:systemd-networkd.service(8)
	Documentation=man:org.freedesktop.network1(5)
	ConditionCapability=CAP_NET_ADMIN
	DefaultDependencies=no
	# systemd-udevd.service can be dropped once tuntap is moved to netlink
	After=systemd-networkd.socket systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
	Before=network.target multi-user.target shutdown.target initrd-switch-root.target
	Conflicts=shutdown.target initrd-switch-root.target
	Wants=systemd-networkd.socket network.target

	[Service]
	AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
	BusName=org.freedesktop.network1
	CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
	DeviceAllow=char-* rw
	ExecStart=!!/lib/systemd/systemd-networkd
	ExecReload=networkctl reload
	FileDescriptorStoreMax=512
	LockPersonality=yes
	MemoryDenyWriteExecute=yes
	NoNewPrivileges=yes
	ProtectProc=invisible
	ProtectClock=yes
	ProtectControlGroups=yes
	ProtectHome=yes
	ProtectKernelLogs=yes
	ProtectKernelModules=yes
	ProtectSystem=strict
	Restart=on-failure
	RestartKillSignal=SIGUSR2
	RestartSec=0
	RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
	RestrictNamespaces=yes
	RestrictRealtime=yes
	RestrictSUIDSGID=yes
	RuntimeDirectory=systemd/netif
	RuntimeDirectoryPreserve=yes
	SystemCallArchitectures=native
	SystemCallErrorNumber=EPERM
	SystemCallFilter=@system-service
	Type=notify
	User=systemd-network
	WatchdogSec=3min

	[Install]
	WantedBy=multi-user.target
	Also=systemd-networkd.socket
	Alias=dbus-org.freedesktop.network1.service

	# The output from this generator is used by udevd and networkd. Enable it by
	# default when enabling systemd-networkd.service.
	Also=systemd-network-generator.service

	# We want to enable systemd-networkd-wait-online.service whenever this service
	# is enabled. systemd-networkd-wait-online.service has
	# WantedBy=network-online.target, so enabling it only has an effect if
	# network-online.target itself is enabled or pulled in by some other unit.
	Also=systemd-networkd-wait-online.service