From 6dd1f412128bd27fef216e6ab0734e1ce3ebb3eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sat, 11 Jun 2022 11:26:31 +0200
Subject: [PATCH] add systemd service example files

---
 etc/systemd-vaultd.service | 21 +++++++++++++++++++++
 etc/systemd-vaultd.socket  |  8 ++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 etc/systemd-vaultd.service
 create mode 100644 etc/systemd-vaultd.socket

diff --git a/etc/systemd-vaultd.service b/etc/systemd-vaultd.service
new file mode 100644
index 0000000..7062ff3
--- /dev/null
+++ b/etc/systemd-vaultd.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=systemd-vault daemon
+Requires=systemd-vaultd.socket
+
+[Service]
+ExecStart=/usr/bin/systemd-vaultd
+Restart=yes
+ProtectSystem=strict
+ProtectHome=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateUsers=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+MemoryDenyWriteExecute=yes
+SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io
+
+[Install]
+Also=systemd-vaultd.socket
diff --git a/etc/systemd-vaultd.socket b/etc/systemd-vaultd.socket
new file mode 100644
index 0000000..290841d
--- /dev/null
+++ b/etc/systemd-vaultd.socket
@@ -0,0 +1,8 @@
+[Unit]
+Description=systemd-vault activation socket
+
+[Socket]
+ListenStream=/run/systemd-vaultd/sock
+
+[Install]
+WantedBy=sockets.target