Kyle Isom
b0afe3b993
- Rename dist/ -> deploy/ with subdirs examples/, scripts/, systemd/ per standard repository layout - Update .gitignore: gitignore all of dist/ (build output only) - Makefile: all target is now vet->lint->test->build; add vet, proto-lint, devserver targets; CGO_ENABLED=0 for builds (modernc.org/sqlite is pure-Go, no C toolchain needed); CGO_ENABLED=1 retained for tests (race detector) - Dockerfile: builder -> golang:1.26-alpine, runtime -> alpine:3.21; drop libc6 dep; add /srv/mcias/certs and /srv/mcias/backups to image - deploy/systemd/mcias.service: add RestrictSUIDSGID=true - deploy/systemd/mcias-backup.service: new oneshot backup unit - deploy/systemd/mcias-backup.timer: daily 02:00 UTC, 5m jitter - deploy/scripts/install.sh: install backup units and enable timer; create certs/ and backups/ subdirs in /srv/mcias - buf.yaml: add proto linting config for proto-lint target - internal/db: add Snapshot and SnapshotDir methods (VACUUM INTO) - cmd/mciasdb: add snapshot subcommand; no master key required
53 lines
1.4 KiB
Desktop File
53 lines
1.4 KiB
Desktop File
[Unit]
|
|
Description=MCIAS Authentication Server
|
|
Documentation=man:mciassrv(1)
|
|
After=network.target
|
|
# Require network to be available before starting.
|
|
# Remove if you bind only to loopback.
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=mcias
|
|
Group=mcias
|
|
|
|
# Configuration and secrets.
|
|
# /srv/mcias/env must contain MCIAS_MASTER_PASSPHRASE=<passphrase>
|
|
# See deploy/examples/mcias.env.example for the template.
|
|
EnvironmentFile=/srv/mcias/env
|
|
|
|
ExecStart=/usr/local/bin/mciassrv -config /srv/mcias/mcias.toml
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
|
|
# File descriptor limit. mciassrv keeps one fd per open connection plus
|
|
# the SQLite WAL files; 65536 is generous headroom for a personal server.
|
|
LimitNOFILE=65536
|
|
|
|
# Sandboxing. mcias does not need capabilities; it listens on ports > 1024.
|
|
# If you need port 443 or 8443 on a privileged port (< 1024), either:
|
|
# a) use a reverse proxy (recommended), or
|
|
# b) grant CAP_NET_BIND_SERVICE with: AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
CapabilityBoundingSet=
|
|
|
|
# Filesystem restrictions.
|
|
# mciassrv reads and writes /srv/mcias (config, TLS cert/key, database).
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
PrivateTmp=true
|
|
ReadWritePaths=/srv/mcias
|
|
|
|
# Additional hardening.
|
|
NoNewPrivileges=true
|
|
PrivateDevices=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
RestrictSUIDSGID=true
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|