[Unit]
Description=Argo Tunnel client daemon for Cloudflared
After=network.target
Wants=network.target

[Service]
Type=notify
ExecStart=/usr/bin/cloudflared --config /etc/cloudflared/config.yml --no-autoupdate
User=cloudflared
Group=cloudflared
Restart=on-failure
RestartSec=5s
TimeoutStartSec=0

# Allow cloudflared access to logfile
ReadWritePaths=/var/log/cloudflared.log

# Allow cloudflared to bind ports in the range of 0-1024 and restrict it to
# that capability
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE

# If cloudflared is run at ports >1024, you should apply these options via a
# drop-in file
#CapabilityBoundingSet=
#AmbientCapabilities=
#PrivateUsers=yes

NoNewPrivileges=true
LimitNOFILE=1048576
UMask=0077

ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true

SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target