diff --git a/advanced/pihole-FTL-prestart.sh b/advanced/pihole-FTL-prestart.sh new file mode 100644 index 00000000..884975b3 --- /dev/null +++ b/advanced/pihole-FTL-prestart.sh @@ -0,0 +1,10 @@ +/bin/touch /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port /var/log/pihole.log +/bin/mkdir -p /var/run/pihole /var/log/pihole +/bin/chown pihole:pihole /var/run/pihole /var/log/pihole +if [ -e "/var/run/pihole/FTL.sock" ]; then + /bin/rm /var/run/pihole/FTL.sock +fi +/bin/chown pihole:pihole /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port /etc/pihole /etc/pihole/dhcp.leases /var/log/pihole.log +/bin/chmod 0644 /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port /var/log/pihole.log +#/sbin/setcap "CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_NET_ADMIN+eip" "/usr/bin/pihole-FTL" +/bin/echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.piholeFTL diff --git a/advanced/pihole-FTL.service b/advanced/pihole-FTL.service index ef8ee9c2..a13f368b 100644 --- a/advanced/pihole-FTL.service +++ b/advanced/pihole-FTL.service @@ -1,89 +1,30 @@ -#!/bin/bash -### BEGIN INIT INFO -# Provides: pihole-FTL -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: pihole-FTL daemon -# Description: Enable service provided by pihole-FTL daemon -### END INIT INFO +[Unit] +Description=Pi-hole FTLDNS +After=network.target -FTLUSER=pihole -PIDFILE=/var/run/pihole-FTL.pid +[Service] +Restart=on-abnormal +User=root +Group=root -get_pid() { - pidof "pihole-FTL" -} +Type=forking +PIDFile=/run/pihole-FTL.pid -is_running() { - ps "$(get_pid)" > /dev/null 2>&1 -} +ExecStartPre=/bin/bash /etc/.pihole/advanced/pihole-FTL-prestart.sh +ExecStart=/bin/su -s /bin/sh -c "/usr/bin/pihole-FTL" "pihole" +ExecReload=/bin/kill -USR1 $MAINPID +; Use graceful shutdown with a reasonable timeout +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s -# Start the service -start() { - if is_running; then - echo "pihole-FTL is already running" - else - touch /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port /var/log/pihole.log - mkdir -p /var/run/pihole - mkdir -p /var/log/pihole - chown pihole:pihole /var/run/pihole /var/log/pihole - rm /var/run/pihole/FTL.sock 2> /dev/null - chown pihole:pihole /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port - chown pihole:pihole /etc/pihole /etc/pihole/dhcp.leases /var/log/pihole.log - chmod 0644 /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port /var/log/pihole.log - setcap CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_NET_ADMIN+eip "$(which pihole-FTL)" - echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.piholeFTL - su -s /bin/sh -c "/usr/bin/pihole-FTL" "$FTLUSER" - echo - fi -} +; Make /usr, /boot, /etc and possibly some more folders read-only... +ProtectSystem=full +; ... except /etc/pihole +; This merely retains r/w access rights, it does not add any new. +; Must still be writable on the host! +ReadWriteDirectories=/etc/pihole -# Stop the service -stop() { - if is_running; then - /sbin/resolvconf -d lo.piholeFTL - kill "$(get_pid)" - for i in {1..5}; do - if ! is_running; then - break - fi - - echo -n "." - sleep 1 - done - echo - - if is_running; then - echo "Not stopped; may still be shutting down or shutdown may have failed, killing now" - kill -9 "$(get_pid)" - exit 1 - else - echo "Stopped" - fi - else - echo "Not running" - fi - echo -} - -### main logic ### -case "$1" in - stop) - stop - ;; - status) - status pihole-FTL - ;; - start|restart|reload|condrestart) - stop - start - ;; - *) - echo $"Usage: $0 {start|stop|restart|reload|status}" - exit 1 -esac - -exit 0 +[Install] +WantedBy=multi-user.target