etc_systemd_system_openvpn@.service.d_override.conf.j2

[Unit]
After=network.target systemd-tmpfiles-setup.service
Before=dnsmasq.service
# Need systemd-tmpfiles for /run/openvpn directory which contains PID and status files
Wants=systemd-tmpfiles-setup.service
Requires=network.target

[Service]
User=openvpn
Group=openvpn
# Only apply user and group to ExecStart. ExecStartPre/Post need root to manage devices
PermissionsStartOnly=true
ExecStartPre=/usr/sbin/openvpn --mktun --dev tun-%i --dev-type tun --user openvpn --group openvpn
# Annoying race condition, openvpn doesn't create the pid file fast enough for
# systemd. The sleep makes systemd wait before checking for the pid file
ExecStartPost=/bin/sleep 0.1
ExecStopPost=/usr/sbin/openvpn --rmtun --dev tun-%i
{% if ansible_distribution in ['Ubuntu', 'Debian'] %}
{#
  Clearing doesn't seem to be okay on Debian 8.5 (systemd 215) or CentOS 7.2 (systemd 219)
  But it's okay on Ubuntu 16.04 (systemd 229) and Debian 8.5 w/ backports (systemd 230)
  TODO Maybe key off of systemd version instead? custom 'set_fact' step on start?
#}
CapabilityBoundingSet=
{% endif %}
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
ProtectSystem=full
ProtectHome=true
# Need access to /usr/sbin/openvpn and /bin/ip
# Root directory; handle /bin, /usr, /var, /lib and /sbin separately
InaccessibleDirectories=/boot /home /lost+found /media /mnt /opt /root /snap /srv /sys
# Leave /usr/sbin accessible
InaccessibleDirectories=/usr/bin /usr/games /usr/include /usr/local /usr/share /usr/src
# Leave /var/run accessible
InaccessibleDirectories=/var/backups /var/cache  /var/lib /var/local /var/log /var/mail /var/opt  /var/spool
{% if ansible_distribution in ['Ubuntu'] and ansible_distribution_version in ['16.04'] %}
{#
  These dirs only exist on ubuntu
  TODO Maybe build list of directories
#}
InaccessibleDirectories=/var/crash /var/snap
{% endif %}
ReadOnlyDirectories=/lib /lib64 /usr/lib