diff --git a/http-redirector/PKGBUILD b/http-redirector/PKGBUILD new file mode 100644 index 0000000..e08976c --- /dev/null +++ b/http-redirector/PKGBUILD @@ -0,0 +1,34 @@ +# Maintainer: Manuel Vögele +pkgname=http-redirector-git +pkgver=0 +pkgrel=1 + +arch=('any') +makedepends=( + 'git' + 'cargo' +) +source=( + 'git+ssh://gitea@git.ccn.li/manuel/http-redirector' + 'http-redirector.service' + 'sysusers.d' +) +sha256sums=('SKIP' + '1d05b6a804de9bedaf27d8a7ee32b5bb2fd29833688dfb49151d231ddf78bcc3' + '124c6e88ee76e2b7f364140bec90d1acd7d2173be6b3ff02f34f0c0f6dbc38d4') + +pkgver() { + cd "${srcdir}/http-redirector" + printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)" +} + +build() { + cd "${srcdir}/http-redirector" + cargo build --release +} + +package() { + install -Dm755 "${srcdir}/http-redirector/target/release/http-redirector" "${pkgdir}/usr/bin/http-redirector" + install -Dm644 "${srcdir}/http-redirector.service" "${pkgdir}/usr/lib/systemd/system/http-redirector.service" + install -Dm644 "${srcdir}/sysusers.d" "${pkgdir}/usr/lib/sysusers.d/http-redirector.conf" +} diff --git a/http-redirector/http-redirector.service b/http-redirector/http-redirector.service new file mode 100644 index 0000000..25680a9 --- /dev/null +++ b/http-redirector/http-redirector.service @@ -0,0 +1,43 @@ +[Unit] +After=network-online.target + +[Service] +User=http-redirector +Environment=RUST_LOG=info +Environment=REDIRECTOR_ROUTES_FILE=/etc/http-redirector-routes.toml +Environment=ROCKET_PORT=7567 +Environment=ROCKET_ADDRESS=127.0.0.1 +ExecStart=/usr/bin/http-redirector + +Restart=on-failure +RestartSec=5s + +ReadOnlyPaths=/etc/http-redirector-routes.toml +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateUsers=yes +PrivateMounts=yes +DevicePolicy=closed +ProtectSystem=strict +ProtectHome=yes +ProtectClock=yes +ProtectHostname=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK +CapabilityBoundingSet= +SystemCallArchitectures=native +SystemCallFilter=@system-service +ProtectKernelLogs=yes +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +MemoryDenyWriteExecute=yes +LockPersonality=yes +RemoveIPC=yes + + +[Install] +WantedBy=multi-user.target diff --git a/http-redirector/sysusers.d b/http-redirector/sysusers.d new file mode 100644 index 0000000..0ff6d89 --- /dev/null +++ b/http-redirector/sysusers.d @@ -0,0 +1 @@ +u http-redirector - "Unprivileged user for running http-redirector"