Move units to their own folder.

Comment out additional units in unbound.service.in.
Also add reference to icannbundle.pem to unbound-anchor.service.in.

Signed-off-by: Toria <ninetailedtori@uwu.gal>

contrib/systemd/unbound-anchor.service.in

@@ -48,10 +48,9 @@
 Description=unbound-anchor
 Documentation=man:unbound-anchor(8)
 After=network-online.target
-After=unbound-roothints.service
 Wants=network-online.target
+After=unbound-roothints.service
 Wants=unbound-roothints.service
-Before=unbound-chown.service
 Before=unbound.service
 OnFailure=logger "Error (unbound-anchor): Please check root anchor."
 
@@ -61,7 +60,7 @@ WantedBy=multi-user.target
 [Service]
 ExecCondition=@UNBOUND_RUN_DIR@/roothints-sig.sh
 ExecStart=/bin/cp "/etc/trusted-key.key" @UNBOUND_ROOTKEY_FILE@
-ExecStart=@UNBOUND_SBIN_DIR@/unbound-anchor -f "/etc/resolv.conf" -r @UNBOUND_RUN_DIR@/root.hints -a @UNBOUND_ROOTKEY_FILE@
+ExecStart=/bin/sudo -u unbound @UNBOUND_SBIN_DIR@/unbound-anchor -f "/etc/resolv.conf" -r @UNBOUND_RUN_DIR@/root.hints -a @UNBOUND_ROOTKEY_FILE@ -c @UNBOUND_RUN_DIR@/icannbundle.pem
 NotifyAccess=main
 Type=oneshot
 # TODO: Needs checking. Does unbound-anchor require net capabilities?
@@ -88,4 +87,4 @@ RestrictNamespaces=yes
 LockPersonality=yes
 RestrictSUIDSGID=yes
 ReadWritePaths=@UNBOUND_ROOTKEY_FILE@
-ReadOnlyPaths=/etc/trusted-key.key /etc/resolv.conf @UNBOUND_RUN_DIR@/root.hints
+ReadOnlyPaths=/etc/trusted-key.key /etc/resolv.conf @UNBOUND_RUN_DIR@/root.hints @UNBOUND_RUN_DIR@/icannbundle.pem

contrib/unbound-chown.service.in

@@ -1,89 +0,0 @@
-; For further details about the directives used in this unit file, including
-; the below, please refer to systemd's official documentation, available at
-; https://www.freedesktop.org/software/systemd/man/systemd.exec.html.
-;
-;
-;   - `ProtectSystem=strict` implies we mount the entire file system hierarchy
-;     read-only for the processes invoked by the unit except for the API file
-;     system subtrees /dev, /proc and /sys (which are protected by
-;     PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).
-;
-;   - `PrivateTmp=yes` secures access to temporary files of the process, and
-;     makes sharing between processes via /tmp or /var/tmp impossible.
-;
-;   - `ProtectHome=yes` makes the directories /home, /root, and /run/user
-;     inaccessible and empty for processes invoked by the unit.
-;
-;   - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies
-;     (accessible through /sys/fs/cgroup) read-only to all processes invoked by
-;     the unit. It also implies `MountAPIVFS=yes`.
-;
-;   - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the
-;     unit User and Group with read-write permissions (0755) as soon as the
-;     unit starts. This allows unbound to store its pidfile. The directory and
-;     its content are automatically removed by systemd when the unit stops.
-;
-;   - `NoNewPrivileges=yes` ensures that the service process and all its
-;     children can never gain new privileges through execve().
-;
-;   - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID
-;     (SUID) or set-group-ID (SGID) bits on files or directories will be denied.
-;
-;   - `RestrictRealTime=yes` ensures that any attempts to enable realtime
-;     scheduling in a process invoked by the unit will be denied.
-;
-;   - `RestrictNamespaces=yes` ensures that access to any kind of namespacing
-;     is prohibited.
-;
-;   - `LockPersonality=yes` locks down the personality system call so that the
-;     kernel execution domain may not be changed from the default.
-;
-;   - With /etc/systemd/network/*.network a setting to make sure the network
-;     is not considered online too early, can reduce network unreachable
-;     errors on server start:
-;     [Link]
-;     RequiredForOnline=routable
-;
-[Unit]
-Description=unbound-chown
-Documentation=man:chown(1)
-After=network-online.target
-After=unbound-anchor.service
-After=unbound-roothints.service
-Wants=network-online.target
-Wants=unbound-anchor.service
-Wants=unbound-roothints.service
-Before=unbound.service
-OnFailure=logger "Error (unbound-chown): Please check /etc/unbound ownership."
-
-[Install]
-WantedBy=multi-user.target
-
-[Service]
-ExecStart=/bin/chown -R unbound:unbound @UNBOUND_RUN_DIR@
-ExecStart=/bin/chown -R unbound:unbound @UNBOUND_CHROOT_DIR@
-ExecStart=/bin/chown unbound:unbound @UNBOUND_ROOTKEY_FILE@
-NotifyAccess=main
-Type=oneshot
-CapabilityBoundingSet=CAP_CHOWN
-MemoryDenyWriteExecute=true
-NoNewPrivileges=true
-PrivateDevices=true
-PrivateTmp=true
-ProtectHome=true
-ProtectClock=true
-ProtectControlGroups=true
-ProtectKernelLogs=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
-ProtectProc=invisible
-ProtectSystem=strict
-RuntimeDirectory=unbound
-ConfigurationDirectory=unbound
-StateDirectory=unbound
-RestrictRealtime=true
-SystemCallArchitectures=native
-RestrictNamespaces=yes
-LockPersonality=yes
-RestrictSUIDSGID=yes
-ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ @UNBOUND_ROOTKEY_FILE@

contrib/unbound.service.in

@@ -48,14 +48,13 @@
 Description=Validating, recursive, and caching DNS resolver
 Documentation=man:unbound(8)
 After=network-online.target
-After=unbound-roothints.service
-After=unbound-anchor.service
-After=unbound-chown.service
 Wants=network-online.target
-Wants=unbound-roothints.service
-Wants=unbound-anchor.service
-Wants=unbound-chown.service
 Before=nss-lookup.target
+# These two are needed for systemd-managed root.hints and trusted-key.key updates.
+#After=unbound-roothints.service
+#Wants=unbound-roothints.service
+#After=unbound-anchor.service
+#Wants=unbound-anchor.service
 
 [Install]
 WantedBy=multi-user.target