[Unit]
Description=innisfree tunnel for %i
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
[Service]
Type=simple
Environment="RUST_LOG=info"
ExecStart=/usr/bin/innisfree up --name %i
# Hack SIGINT, since SIGTERM not yet supported
KillSignal=SIGINT
Restart=always
# Local Wireguard runs in-process via boringtun; needs CAP_NET_ADMIN
# to open /dev/net/tun and configure the link via netlink. The proxy
# may listen on low ports, hence CAP_NET_BIND_SERVICE.
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target