# tor.service -- this systemd configuration file for Tor sets up a
# relatively conservative, hardened Tor service.  You may need to
# edit it if you are making changes to your Tor configuration that it
# does not allow.  Package maintainers: this should be a starting point
# for your tor.service; it is not the last point.

[Unit]
Description = Anonymizing overlay network for TCP
After = syslog.target network.target nss-lookup.target

[Service] Type = notify NotifyAccess = all ExecStartPre = @BINDIR@/tor
-f @CONFDIR@/torrc --verify-config ExecStart = @BINDIR@/tor -f
@CONFDIR@/torrc ExecReload = /bin/kill -HUP ${MAINPID} KillSignal =
SIGINT TimeoutSec = 30 Restart = on-failure WatchdogSec = 1m
LimitNOFILE = 32768

# Hardening
PrivateTmp = yes
PrivateDevices = yes
ProtectHome = yes
ProtectSystem = full
ReadOnlyDirectories = /
ReadWriteDirectories = -@LOCALSTATEDIR@/lib/tor
ReadWriteDirectories = -@LOCALSTATEDIR@/log/tor
NoNewPrivileges = yes
CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE

[Install]
WantedBy = multi-user.target