Package with nix and add systemd unit example

2025-07-04 05:15:33 +00:00 · 2024-08-31 15:40:41 -04:00 · 2024-08-31 15:40:41 -04:00 · e84b13c876
commit e84b13c876
parent a63d0df443
9 changed files with 287 additions and 3 deletions
--- a/blahd/blahd.example.service
+++ b/blahd/blahd.example.service
@ -0,0 +1,46 @@
+[Unit]
+Description=Blah Chat Server
+After=network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/blahd serve --config ${CONFIGURATION_DIRECTORY}/blahd.toml
+ConfigurationDirectory=blahd
+StateDirectory=blahd
+Restart=always
+RestartSec=10s
+
+# Permission and capabilities
+
+DynamicUser=yes
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+# 0640 / 0750
+UMask=0027
+
+# Sandboxing
+# Mostly copied from: https://github.com/NixOS/nixpkgs/blob/6414ef7ca3bf18ec4f9628d09ccc1eb030276ee2/nixos/modules/services/web-servers/nginx/default.nix#L1246
+
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateUsers=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectProc=invisible
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
--- a/blahd/config.example.toml
+++ b/blahd/config.example.toml
@ -1,8 +1,12 @@
+# The example configuration file, required options are documented as
+# `(Required)`, other options are optional and the example value given here is
+# the default value.
+
 [database]
-# (Required)
 # The path to the main SQLite database.
-# It will be created and initialized if not exist.
-path = "/path/to/db.sqlite"
+# The file will be created and initialized if not exist, but missing directory
+# will not.
+path = "/var/lib/blahd/db.sqlite"

 [server]

--- a/blahd/src/config.rs
+++ b/blahd/src/config.rs
@ -11,9 +11,11 @@ pub struct Config {
    pub server: ServerConfig,
 }

+#[serde_inline_default]
 #[derive(Debug, Clone, Deserialize)]
 #[serde(deny_unknown_fields)]
 pub struct DatabaseConfig {
+    #[serde_inline_default("/var/lib/blahd/db.sqlite".into())]
    pub path: PathBuf,
 }

--- a/blahd/src/main.rs
+++ b/blahd/src/main.rs
@ -31,7 +31,9 @@ mod middleware;
 mod config;
 mod utils;

+/// Blah Chat Server
 #[derive(Debug, clap::Parser)]
+#[clap(about, version = option_env!("CFG_RELEASE").unwrap_or(env!("CARGO_PKG_VERSION")))]
 enum Cli {
    /// Run the server with given configuration.
    Serve {