[Unit]
Description=Honeypot Service
After=network-online.target nftables.service
Wants=network-online.target
ConditionPathExists=/opt/honeypot/config.json
[Service]
Type=simple
User=honeypot
WorkingDirectory=/opt/honeypot
Environment=HONEYPOT_CONFIG=/opt/honeypot/config.json
# Capabilities for packet capture and port binding
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
# Manage firewall rules (requires nftables and jq)
# Assuming honeypot-firewall.sh is installed in /usr/local/bin/
ExecStartPre=+/usr/bin/bash /usr/local/bin/honeypot-firewall.sh ${HONEYPOT_CONFIG} start
ExecStart=/opt/honeypot/honeypot -config ${HONEYPOT_CONFIG}
ExecStopPost=+/usr/bin/bash /usr/local/bin/honeypot-firewall.sh ${HONEYPOT_CONFIG} stop
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target