Bundle systemd service and post-install script for RPM package. (#59 #60)

Signed-off-by: Jason Volk <jason@zemos.net>

docs/SUMMARY.md

@@ -10,6 +10,7 @@
   - [Kubernetes](deploying/kubernetes.md)
   - [Arch Linux](deploying/arch-linux.md)
   - [Debian](deploying/debian.md)
+  - [Red Hat](deploying/redhat.md)
   - [FreeBSD](deploying/freebsd.md)
 - [TURN](turn.md)
 - [Appservices](appservices.md)

docs/deploying/SUMMARY.md

@@ -6,5 +6,6 @@
 - [Kubernetes](kubernetes.md)
 - [Arch Linux](arch-linux.md)
 - [Debian](debian.md)
+- [Red Hat](redhat.md)
 - [FreeBSD](freebsd.md)
 - [Podman systemd](podman-systemd.md)

docs/deploying/redhat.md

@@ -0,0 +1 @@
+{{#include ../../rpm/README.md}}

rpm/README.md

@@ -0,0 +1,36 @@
+# Tuwunel for Red Hat
+
+Information about downloading and deploying the Red Hat package. This may also be
+referenced for other `rpm`-based distros such as CentOS.
+
+### Installation
+
+It is recommended to see the [generic deployment guide](../deploying/generic.md)
+for further information if needed as usage of the RPM package is generally
+related.
+
+No `rpm` repository is currently offered yet, it is in the works/development.
+
+### Configuration
+
+When installed, the example config is placed at `/etc/tuwunel/tuwunel.toml`
+as the default config. The config mentions things required to be changed before
+starting.
+
+You can tweak more detailed settings by uncommenting and setting the config
+options in `/etc/tuwunel/tuwunel.toml`.
+
+### Running
+
+The package uses the [`tuwunel.service`](../configuration/examples.md#example-systemd-unit-file)
+systemd unit file to start and stop Tuwunel. The binary is installed at `/usr/sbin/tuwunel`.
+
+This package assumes by default that Tuwunel will be placed behind a reverse
+proxy. The default config options apply (listening on `localhost` and TCP port
+`8008`). Matrix federation requires a valid domain name and TLS, so you will
+need to set up TLS certificates and renewal for it to work properly if you
+intend to federate.
+
+Consult various online documentation and guides on setting up a reverse proxy
+and TLS. Caddy is documented at the [generic deployment guide](../deploying/generic.md#setting-up-the-reverse-proxy)
+as it's the easiest and most user friendly.

rpm/postinst

@@ -0,0 +1,41 @@
+#!/bin/sh
+set -e
+
+TUWUNEL_DATABASE_PATH=/var/lib/tuwunel
+TUWUNEL_CONFIG_PATH=/etc/tuwunel
+
+case "$1" in
+  configure)
+    # Create the `tuwunel` user if it does not exist yet.
+    if ! getent passwd tuwunel > /dev/null ; then
+      echo 'Adding system user for the tuwunel Matrix homeserver' 1>&2
+      useradd --system --user-group \
+        --create-home --home-dir "$TUWUNEL_DATABASE_PATH" \
+        --shell "/usr/sbin/nologin" \
+        tuwunel
+    fi
+
+    # Create the database path if it does not exist yet and fix up ownership
+    # and permissions for the config.
+    mkdir -v -p "$TUWUNEL_DATABASE_PATH"
+
+    # symlink the previous location for compatibility if it does not exist yet.
+    if ! test -L "/var/lib/matrix-conduit" ; then
+        ln -s -v "$TUWUNEL_DATABASE_PATH" "/var/lib/matrix-conduit"
+    fi
+    if ! test -L "/var/lib/conduwuit" ; then
+        ln -s -v "$TUWUNEL_DATABASE_PATH" "/var/lib/conduwuit"
+    fi
+
+    chown -v tuwunel:tuwunel -R "$TUWUNEL_DATABASE_PATH"
+    chown -v tuwunel:tuwunel -R "$TUWUNEL_CONFIG_PATH"
+
+    chmod -v 740 "$TUWUNEL_DATABASE_PATH"
+
+    echo ''
+    echo 'Make sure you edit the example config at /etc/tuwunel/tuwunel.toml before starting!'
+    echo 'To start the server, run: systemctl start tuwunel.service'
+    echo ''
+
+    ;;
+esac

rpm/tuwunel.service

@@ -0,0 +1,65 @@
+[Unit]
+Description=Tuwunel Matrix homeserver
+Wants=network-online.target
+After=network-online.target
+Alias=matrix-tuwunel.service
+Documentation=https://tuwunel.chat/
+
+[Service]
+DynamicUser=yes
+User=tuwunel
+Group=tuwunel
+Type=notify
+
+Environment="TUWUNEL_CONFIG=/etc/tuwunel/tuwunel.toml"
+
+ExecStart=/usr/sbin/tuwunel
+
+ReadWritePaths=/var/lib/tuwunel /etc/tuwunel
+
+AmbientCapabilities=
+CapabilityBoundingSet=
+
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+#ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateTmp=yes
+PrivateUsers=yes
+PrivateIPC=yes
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service @resources
+SystemCallFilter=~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc
+SystemCallErrorNumber=EPERM
+
+RuntimeDirectory=tuwunel
+RuntimeDirectoryMode=0750
+
+Restart=on-failure
+RestartSec=5
+
+TimeoutStopSec=2m
+TimeoutStartSec=2m
+
+StartLimitInterval=1m
+StartLimitBurst=5
+
+[Install]
+WantedBy=multi-user.target

src/main/Cargo.toml

@@ -39,10 +39,12 @@ name = "tuwunel"
 summary = """\
 High performance Matrix homeserver written in Rust"""
 require-sh = false
+post_install_script = "rpm/postinst"
 assets = [
 	{ source = "target/release/tuwunel", dest = "/usr/sbin/tuwunel", mode = "755" },
 	{ source = "README.md", dest = "/usr/share/doc/tuwunel/", mode = "644", doc = true },
 	{ source = "tuwunel-example.toml", dest = "/etc/tuwunel/tuwunel.toml", mode = "640", config = "noreplace" },
+	{ source = "rpm/tuwunel.service", dest = "/etc/systemd/system/", mode = "644" },
 ]
 
 [package.metadata.arch]