## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

[Unit]
Description=canary
Documentation=https://www.kicksecure.com/wiki/Systemcheck#Warrant_Canary_Check

ConditionPathExists=!/run/qubes/this-is-templatevm
ConditionPathExists=!/usr/share/anon-ws-base-files/workstation

After=network.target
Wants=network.target

After=rinetd.service
After=tor.service
After=tor@default.service
After=onion-grater.service
After=whonix-firewall.service

[Service]
Type=notify

User=canary
Group=canary

ExecStart=/usr/libexec/systemcheck/canary-daemon
SuccessExitStatus=143
## /usr/libexec/systemcheck/canary-daemon uses `light_sleep 3600`
## /usr/libexec/systemcheck/canary uses `curl` with `--max-time 180`
WatchdogSec=4000
NotifyAccess=all
Restart=always

## Hardening.
## https://forums.whonix.org/t/apply-systemd-sandboxing-by-default-to-some-services/7590/31
ProtectSystem=full
ProtectHome=true
ReadWritePaths=/var/lib/canary
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateMounts=true
PrivateDevices=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
RestrictRealtime=true
SystemCallArchitectures=native
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX AF_INET
## TODO
#SystemCallFilter=

[Install]
WantedBy=multi-user.target