[Unit]
Description=Automatically configure NetworkManager in cloud
Documentation=man:nm-cloud-setup(8)
Before=network-online.target
After=NetworkManager.service

# The service restart gets triggered from dispatcher script
# (pre-up and dhcp4-change actions), possibly ending up with many
# restart requests at the same time (e.g. on initial daemon startup
# on a machine with multiple NICs). The systemd handles multiple
# concurrent restart requests gracefully (the newer requests supersede
# older, which wait for them to finish), but the default limits are way
# too low: 5 restarts in 10 seconds. Raise that high enough for us to
# be on the safe side.
StartLimitIntervalSec=1
StartLimitBurst=100

[Service]
Type=oneshot
ExecStart=/usr/libexec/nm-cloud-setup

#Environment=NM_CLOUD_SETUP_LOG=TRACE

# Cloud providers are disabled by default. You need to
# Opt-in by setting the right environment variable for
# the provider.
#
# Create a drop-in file to overwrite these variables or
# use systemctl edit.
#Environment=NM_CLOUD_SETUP_EC2=yes
#Environment=NM_CLOUD_SETUP_GCP=yes
#Environment=NM_CLOUD_SETUP_AZURE=yes
#Environment=NM_CLOUD_SETUP_ALIYUN=yes
#Environment=NM_CLOUD_SETUP_OCI=yes

CapabilityBoundingSet=
KeyringMode=private
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native

DevicePolicy=closed
PrivateNetwork=no
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=@system-service

[Install]
WantedBy=NetworkManager.service