[Unit] Description=Argo Tunnel client daemon for Cloudflared After=network.target Wants=network.target [Service] Type=notify ExecStart=/usr/bin/cloudflared --config /etc/cloudflared/%I.yml --no-autoupdate tunnel run %I #User=cloudflared #Group=cloudflared Restart=on-failure RestartSec=5s TimeoutStartSec=0 # Allow cloudflared access to logfile ReadWritePaths=/var/log/cloudflared/%I.log # Allow cloudflared to bind ports in the range of 0-1024 and restrict it to # that capability CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE # If cloudflared is run at ports >1024, you should apply these options via a # drop-in file #CapabilityBoundingSet= #AmbientCapabilities= #PrivateUsers=yes NoNewPrivileges=true LimitNOFILE=1048576 UMask=0077 ProtectSystem=strict ProtectHome=true PrivateTmp=true PrivateDevices=true ProtectHostname=true ProtectClock=true ProtectKernelTunables=true ProtectKernelModules=true ProtectKernelLogs=true ProtectControlGroups=true RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=true LockPersonality=true MemoryDenyWriteExecute=true RestrictRealtime=true RestrictSUIDSGID=true RemoveIPC=true SystemCallFilter=@system-service SystemCallFilter=~@privileged @resources SystemCallArchitectures=native [Install] WantedBy=multi-user.target