From 3056b601597ce296806ded24afabe93f38314591 Mon Sep 17 00:00:00 2001
From: Jason Volk <jason@zemos.net>
Date: Tue, 10 Jun 2025 20:00:12 +0000
Subject: [PATCH] Bundle systemd service and post-install script for RPM
 package. (#59 #60)

Signed-off-by: Jason Volk <jason@zemos.net>
---
 docs/SUMMARY.md           |  1 +
 docs/deploying/SUMMARY.md |  1 +
 docs/deploying/redhat.md  |  1 +
 rpm/README.md             | 36 ++++++++++++++++++++++
 rpm/postinst              | 41 ++++++++++++++++++++++++
 rpm/tuwunel.service       | 65 +++++++++++++++++++++++++++++++++++++++
 src/main/Cargo.toml       |  2 ++
 7 files changed, 147 insertions(+)
 create mode 100644 docs/deploying/redhat.md
 create mode 100644 rpm/README.md
 create mode 100644 rpm/postinst
 create mode 100644 rpm/tuwunel.service

diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md
index 1c4a5e34..ece24d9c 100644
--- a/docs/SUMMARY.md
+++ b/docs/SUMMARY.md
@@ -10,6 +10,7 @@
   - [Kubernetes](deploying/kubernetes.md)
   - [Arch Linux](deploying/arch-linux.md)
   - [Debian](deploying/debian.md)
+  - [Red Hat](deploying/redhat.md)
   - [FreeBSD](deploying/freebsd.md)
 - [TURN](turn.md)
 - [Appservices](appservices.md)
diff --git a/docs/deploying/SUMMARY.md b/docs/deploying/SUMMARY.md
index 88ae19d9..15c8fe79 100644
--- a/docs/deploying/SUMMARY.md
+++ b/docs/deploying/SUMMARY.md
@@ -6,5 +6,6 @@
 - [Kubernetes](kubernetes.md)
 - [Arch Linux](arch-linux.md)
 - [Debian](debian.md)
+- [Red Hat](redhat.md)
 - [FreeBSD](freebsd.md)
 - [Podman systemd](podman-systemd.md)
diff --git a/docs/deploying/redhat.md b/docs/deploying/redhat.md
new file mode 100644
index 00000000..8abe23f7
--- /dev/null
+++ b/docs/deploying/redhat.md
@@ -0,0 +1 @@
+{{#include ../../rpm/README.md}}
diff --git a/rpm/README.md b/rpm/README.md
new file mode 100644
index 00000000..de022a29
--- /dev/null
+++ b/rpm/README.md
@@ -0,0 +1,36 @@
+# Tuwunel for Red Hat
+
+Information about downloading and deploying the Red Hat package. This may also be
+referenced for other `rpm`-based distros such as CentOS.
+
+### Installation
+
+It is recommended to see the [generic deployment guide](../deploying/generic.md)
+for further information if needed as usage of the RPM package is generally
+related.
+
+No `rpm` repository is currently offered yet, it is in the works/development.
+
+### Configuration
+
+When installed, the example config is placed at `/etc/tuwunel/tuwunel.toml`
+as the default config. The config mentions things required to be changed before
+starting.
+
+You can tweak more detailed settings by uncommenting and setting the config
+options in `/etc/tuwunel/tuwunel.toml`.
+
+### Running
+
+The package uses the [`tuwunel.service`](../configuration/examples.md#example-systemd-unit-file)
+systemd unit file to start and stop Tuwunel. The binary is installed at `/usr/sbin/tuwunel`.
+
+This package assumes by default that Tuwunel will be placed behind a reverse
+proxy. The default config options apply (listening on `localhost` and TCP port
+`8008`). Matrix federation requires a valid domain name and TLS, so you will
+need to set up TLS certificates and renewal for it to work properly if you
+intend to federate.
+
+Consult various online documentation and guides on setting up a reverse proxy
+and TLS. Caddy is documented at the [generic deployment guide](../deploying/generic.md#setting-up-the-reverse-proxy)
+as it's the easiest and most user friendly.
diff --git a/rpm/postinst b/rpm/postinst
new file mode 100644
index 00000000..708fa8fb
--- /dev/null
+++ b/rpm/postinst
@@ -0,0 +1,41 @@
+#!/bin/sh
+set -e
+
+TUWUNEL_DATABASE_PATH=/var/lib/tuwunel
+TUWUNEL_CONFIG_PATH=/etc/tuwunel
+
+case "$1" in
+  configure)
+    # Create the `tuwunel` user if it does not exist yet.
+    if ! getent passwd tuwunel > /dev/null ; then
+      echo 'Adding system user for the tuwunel Matrix homeserver' 1>&2
+      useradd --system --user-group \
+        --create-home --home-dir "$TUWUNEL_DATABASE_PATH" \
+        --shell "/usr/sbin/nologin" \
+        tuwunel
+    fi
+
+    # Create the database path if it does not exist yet and fix up ownership
+    # and permissions for the config.
+    mkdir -v -p "$TUWUNEL_DATABASE_PATH"
+
+    # symlink the previous location for compatibility if it does not exist yet.
+    if ! test -L "/var/lib/matrix-conduit" ; then
+        ln -s -v "$TUWUNEL_DATABASE_PATH" "/var/lib/matrix-conduit"
+    fi
+    if ! test -L "/var/lib/conduwuit" ; then
+        ln -s -v "$TUWUNEL_DATABASE_PATH" "/var/lib/conduwuit"
+    fi
+
+    chown -v tuwunel:tuwunel -R "$TUWUNEL_DATABASE_PATH"
+    chown -v tuwunel:tuwunel -R "$TUWUNEL_CONFIG_PATH"
+
+    chmod -v 740 "$TUWUNEL_DATABASE_PATH"
+
+    echo ''
+    echo 'Make sure you edit the example config at /etc/tuwunel/tuwunel.toml before starting!'
+    echo 'To start the server, run: systemctl start tuwunel.service'
+    echo ''
+
+    ;;
+esac
diff --git a/rpm/tuwunel.service b/rpm/tuwunel.service
new file mode 100644
index 00000000..b8167121
--- /dev/null
+++ b/rpm/tuwunel.service
@@ -0,0 +1,65 @@
+[Unit]
+Description=Tuwunel Matrix homeserver
+Wants=network-online.target
+After=network-online.target
+Alias=matrix-tuwunel.service
+Documentation=https://tuwunel.chat/
+
+[Service]
+DynamicUser=yes
+User=tuwunel
+Group=tuwunel
+Type=notify
+
+Environment="TUWUNEL_CONFIG=/etc/tuwunel/tuwunel.toml"
+
+ExecStart=/usr/sbin/tuwunel
+
+ReadWritePaths=/var/lib/tuwunel /etc/tuwunel
+
+AmbientCapabilities=
+CapabilityBoundingSet=
+
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+#ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateTmp=yes
+PrivateUsers=yes
+PrivateIPC=yes
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service @resources
+SystemCallFilter=~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc
+SystemCallErrorNumber=EPERM
+
+RuntimeDirectory=tuwunel
+RuntimeDirectoryMode=0750
+
+Restart=on-failure
+RestartSec=5
+
+TimeoutStopSec=2m
+TimeoutStartSec=2m
+
+StartLimitInterval=1m
+StartLimitBurst=5
+
+[Install]
+WantedBy=multi-user.target
diff --git a/src/main/Cargo.toml b/src/main/Cargo.toml
index f8d10dc6..7b88d821 100644
--- a/src/main/Cargo.toml
+++ b/src/main/Cargo.toml
@@ -39,10 +39,12 @@ name = "tuwunel"
 summary = """\
 High performance Matrix homeserver written in Rust"""
 require-sh = false
+post_install_script = "rpm/postinst"
 assets = [
 	{ source = "target/release/tuwunel", dest = "/usr/sbin/tuwunel", mode = "755" },
 	{ source = "README.md", dest = "/usr/share/doc/tuwunel/", mode = "644", doc = true },
 	{ source = "tuwunel-example.toml", dest = "/etc/tuwunel/tuwunel.toml", mode = "640", config = "noreplace" },
+	{ source = "rpm/tuwunel.service", dest = "/etc/systemd/system/", mode = "644" },
 ]
 
 [package.metadata.arch]