build, etc: Add systemd units and ufw rules for relay and discovery (fixes #5115) (#5350)

2024-12-22 10:58:57 +00:00 · 2019-08-08 18:04:52 +02:00 · 2019-08-08 18:04:52 +02:00 · 7b37d453f9
commit 7b37d453f9
parent edf2399ce6
9 changed files with 90 additions and 8 deletions
--- a/build.go
+++ b/build.go
@ -57,11 +57,13 @@ type target struct {
 	name              string
 	debname           string
 	debdeps           []string
 	debpre            string
 	debpost           string
 	description       string
 	buildPkg          string
 	binaryName        string
 	archiveFiles      []archiveFile
 	systemdServices   []string
 	installationFiles []archiveFile
 	tags              []string
 }
@ -128,6 +130,7 @@ var targets = map[string]target{
 		name:        "stdiscosrv",
 		debname:     "syncthing-discosrv",
 		debdeps:     []string{"libc6"},
 		debpre:      "cmd/stdiscosrv/scripts/preinst",
 		description: "Syncthing Discovery Server",
 		buildPkg:    "github.com/syncthing/syncthing/cmd/stdiscosrv",
 		binaryName:  "stdiscosrv", // .exe will be added automatically for Windows builds
@ -137,12 +140,17 @@ var targets = map[string]target{
 			{src: "LICENSE", dst: "LICENSE.txt", perm: 0644},
 			{src: "AUTHORS", dst: "AUTHORS.txt", perm: 0644},
 		},
 		systemdServices: []string{
 			"cmd/stdiscosrv/etc/linux-systemd/stdiscosrv.service",
 		},
 		installationFiles: []archiveFile{
 			{src: "{{binary}}", dst: "deb/usr/bin/{{binary}}", perm: 0755},
 			{src: "cmd/stdiscosrv/README.md", dst: "deb/usr/share/doc/syncthing-discosrv/README.txt", perm: 0644},
 			{src: "LICENSE", dst: "deb/usr/share/doc/syncthing-discosrv/LICENSE.txt", perm: 0644},
 			{src: "AUTHORS", dst: "deb/usr/share/doc/syncthing-discosrv/AUTHORS.txt", perm: 0644},
 			{src: "man/stdiscosrv.1", dst: "deb/usr/share/man/man1/stdiscosrv.1", perm: 0644},
 			{src: "cmd/stdiscosrv/etc/linux-systemd/default", dst: "deb/etc/default/syncthing-discosrv", perm: 0644},
 			{src: "cmd/stdiscosrv/etc/firewall-ufw/stdiscosrv", dst: "deb/etc/ufw/applications.d/stdiscosrv", perm: 0644},
 		},
 		tags: []string{"purego"},
 	},
@ -150,6 +158,7 @@ var targets = map[string]target{
 		name:        "strelaysrv",
 		debname:     "syncthing-relaysrv",
 		debdeps:     []string{"libc6"},
 		debpre:      "cmd/strelaysrv/scripts/preinst",
 		description: "Syncthing Relay Server",
 		buildPkg:    "github.com/syncthing/syncthing/cmd/strelaysrv",
 		binaryName:  "strelaysrv", // .exe will be added automatically for Windows builds
@ -160,6 +169,9 @@ var targets = map[string]target{
 			{src: "LICENSE", dst: "LICENSE.txt", perm: 0644},
 			{src: "AUTHORS", dst: "AUTHORS.txt", perm: 0644},
 		},
 		systemdServices: []string{
 			"cmd/strelaysrv/etc/linux-systemd/strelaysrv.service",
 		},
 		installationFiles: []archiveFile{
 			{src: "{{binary}}", dst: "deb/usr/bin/{{binary}}", perm: 0755},
 			{src: "cmd/strelaysrv/README.md", dst: "deb/usr/share/doc/syncthing-relaysrv/README.txt", perm: 0644},
@ -167,6 +179,8 @@ var targets = map[string]target{
 			{src: "LICENSE", dst: "deb/usr/share/doc/syncthing-relaysrv/LICENSE.txt", perm: 0644},
 			{src: "AUTHORS", dst: "deb/usr/share/doc/syncthing-relaysrv/AUTHORS.txt", perm: 0644},
 			{src: "man/strelaysrv.1", dst: "deb/usr/share/man/man1/strelaysrv.1", perm: 0644},
 			{src: "cmd/strelaysrv/etc/linux-systemd/default", dst: "deb/etc/default/syncthing-relaysrv", perm: 0644},
 			{src: "cmd/strelaysrv/etc/firewall-ufw/strelaysrv", dst: "deb/etc/ufw/applications.d/strelaysrv", perm: 0644},
 		},
 	},
 	"strelaypoolsrv": {
@ -555,9 +569,15 @@ func buildDeb(target target) {
 	for _, dep := range target.debdeps {
 		args = append(args, "-d", dep)
 	}
 	for _, service := range target.systemdServices {
 		args = append(args, "--deb-systemd", service)
 	}
 	if target.debpost != "" {
 		args = append(args, "--after-upgrade", target.debpost)
 	}
 	if target.debpre != "" {
 		args = append(args, "--before-install", target.debpre)
 	}
 	runPrint("fpm", args...)
 }
--- a/cmd/stdiscosrv/etc/firewall-ufw/stdiscosrv
+++ b/cmd/stdiscosrv/etc/firewall-ufw/stdiscosrv
@ -0,0 +1,4 @@
 [stdiscosrv]
 title=Syncthing discovery server
 description=Lets syncthing clients discover each other
 ports=8443/tcp
--- a/cmd/stdiscosrv/etc/linux-systemd/default
+++ b/cmd/stdiscosrv/etc/linux-systemd/default
@ -0,0 +1,3 @@
 # Default settings for syncthing-relaysrv (strelaysrv).
 ## Add Options here:
 DISCOSRV_OPTS=
--- a/cmd/stdiscosrv/etc/linux-systemd/stdiscosrv.service
+++ b/cmd/stdiscosrv/etc/linux-systemd/stdiscosrv.service
@ -0,0 +1,25 @@
 [Unit]
 Description=Syncthing Discovery Server
 After=network.target
 Documentation=man:stdiscosrv(1)
 [Service]
 WorkingDirectory=/var/lib/syncthing-discosrv
 EnvironmentFile=/etc/default/syncthing-discosrv
 ExecStart=/usr/bin/stdiscosrv $DISCOSRV_OPTS
 # Hardening
 User=syncthing-discosrv
 Group=syncthing
 ProtectSystem=strict
 ReadWritePaths=/var/lib/syncthing-discosrv
 NoNewPrivileges=true
 PrivateTmp=true
 PrivateDevices=true
 ProtectHome=true
 SystemCallArchitectures=native
 MemoryDenyWriteExecute=true
 [Install]
 WantedBy=multi-user.target
 Alias=syncthing-discosrv.service
--- a/cmd/stdiscosrv/scripts/preinst
+++ b/cmd/stdiscosrv/scripts/preinst
@ -0,0 +1,4 @@
 #!/bin/bash
 addgroup --system syncthing
 adduser --system --home /var/lib/syncthing-discosrv --ingroup syncthing syncthing-discosrv
--- a/cmd/strelaysrv/etc/firewall-ufw/strelaysrv
+++ b/cmd/strelaysrv/etc/firewall-ufw/strelaysrv
@ -0,0 +1,9 @@
 [strelaysrv]
 title=Syncthing relay server
 description=Proxies traffic of syncthing client behind firewalls
 ports=22067/tcp
 [strelaysrv-metrics]
 title=Syncthing relay metrics
 description=Provides metrics about the syncthing relay server
 ports=22070/tcp
--- a/cmd/strelaysrv/etc/linux-systemd/default
+++ b/cmd/strelaysrv/etc/linux-systemd/default
@ -0,0 +1,5 @@
 # Default settings for syncthing-relaysrv (strelaysrv).
 NAT=true
 ## Add Options here:
 RELAYSRV_OPTS=
--- a/cmd/strelaysrv/etc/linux-systemd/strelaysrv.service
+++ b/cmd/strelaysrv/etc/linux-systemd/strelaysrv.service
@ -1,17 +1,25 @@
 [Unit]
-Description=Syncthing relay server
+Description=Syncthing Relay Server
 After=network.target
 Documentation=man:strelaysrv(1)
 [Service]
-User=strelaysrv
+WorkingDirectory=/var/lib/syncthing-relaysrv
-Group=strelaysrv
+EnvironmentFile=/etc/default/syncthing-relaysrv
-ExecStart=/usr/bin/strelaysrv
+ExecStart=/usr/bin/strelaysrv -nat=${NAT} $RELAYSRV_OPTS
 WorkingDirectory=/var/lib/strelaysrv
-PrivateTmp=true
+# Hardening
-ProtectSystem=full
+User=syncthing-relaysrv
-ProtectHome=true
+Group=syncthing
 ProtectSystem=strict
 ReadWritePaths=/var/lib/syncthing-relaysrv
 NoNewPrivileges=true
 PrivateTmp=true
 PrivateDevices=true
 ProtectHome=true
 SystemCallArchitectures=native
 MemoryDenyWriteExecute=true
 [Install]
 WantedBy=multi-user.target
 Alias=syncthing-relaysrv.service
--- a/cmd/strelaysrv/scripts/preinst
+++ b/cmd/strelaysrv/scripts/preinst
@ -0,0 +1,4 @@
 #!/bin/bash
 addgroup --system syncthing
 adduser --system --home /var/lib/syncthing-relaysrv --ingroup syncthing syncthing-relaysrv