From 8679ff91dcaa94e622e8af0d0723922f488bba77 Mon Sep 17 00:00:00 2001 From: frederik Date: Fri, 25 Mar 2022 21:51:20 +0100 Subject: [PATCH] chore(systemd): add systemd service files (#22) Add systemd files to serve files from /var/lib/rustypaste, automatic user creation via systemd-sysusers and AUTH_TOKEN configuration via rustypaste.env in /etc/rustypaste/rustypaste.env. implements #16 --- extra/systemd/rustypaste.env | 2 ++ extra/systemd/rustypaste.service | 31 +++++++++++++++++++++++++++++++ extra/systemd/rustypaste.sysusers | 1 + extra/systemd/rustypaste.tmpfiles | 1 + 4 files changed, 35 insertions(+) create mode 100644 extra/systemd/rustypaste.env create mode 100644 extra/systemd/rustypaste.service create mode 100644 extra/systemd/rustypaste.sysusers create mode 100644 extra/systemd/rustypaste.tmpfiles diff --git a/extra/systemd/rustypaste.env b/extra/systemd/rustypaste.env new file mode 100644 index 00000000..816e3b5f --- /dev/null +++ b/extra/systemd/rustypaste.env @@ -0,0 +1,2 @@ +# To enable basic HTTP auth, set the AUTH_TOKEN +AUTH_TOKEN="" diff --git a/extra/systemd/rustypaste.service b/extra/systemd/rustypaste.service new file mode 100644 index 00000000..dee5f66a --- /dev/null +++ b/extra/systemd/rustypaste.service @@ -0,0 +1,31 @@ +[Unit] +Description=Rustypaste server +After=network-online.target +Wants=network-online.target systemd-networkd-wait-online.service + +[Service] +User=rustypaste +Group=rustypaste +ExecStart=/usr/bin/rustypaste +ReadWritePaths=/var/lib/rustypaste +ReadOnlyPaths=/etc/rustypaste + +WorkingDirectory=/var/lib/rustypaste +Environment="CONFIG=/etc/rustypaste/config.toml" +EnvironmentFile=/etc/rustypaste/rustypaste.env + +# Hardening options +CapabilityBoundingSet= +AmbientCapabilities= +NoNewPrivileges=true +ProtectHome=true +ProtectSystem=strict +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +PrivateTmp=true +PrivateDevices=true +LockPersonality=true + +[Install] +WantedBy=multi-user.target diff --git a/extra/systemd/rustypaste.sysusers b/extra/systemd/rustypaste.sysusers new file mode 100644 index 00000000..6ff7ad2e --- /dev/null +++ b/extra/systemd/rustypaste.sysusers @@ -0,0 +1 @@ +u rustypaste - "Minimal file upload/pastebin service" /var/lib/rustypaste diff --git a/extra/systemd/rustypaste.tmpfiles b/extra/systemd/rustypaste.tmpfiles new file mode 100644 index 00000000..a449e18b --- /dev/null +++ b/extra/systemd/rustypaste.tmpfiles @@ -0,0 +1 @@ +d /var/lib/rustypaste 0750 rustypaste rustypaste