From bdcc8fbb6aedc48af1fa8c7913f04def2865008b Mon Sep 17 00:00:00 2001
From: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Date: Tue, 2 May 2023 15:05:13 +0000
Subject: [PATCH] feat: package systemd unit

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
---
 .nfpm/postinstall.sh | 14 ++++++++++++++
 .nfpm/postremove.sh  |  6 ++++++
 .nfpm/soft.conf      |  6 ++++++
 .nfpm/soft.service   | 45 ++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 71 insertions(+)
 create mode 100755 .nfpm/postinstall.sh
 create mode 100755 .nfpm/postremove.sh
 create mode 100644 .nfpm/soft.conf
 create mode 100644 .nfpm/soft.service

diff --git a/.nfpm/postinstall.sh b/.nfpm/postinstall.sh
new file mode 100755
index 000000000..929e3e821
--- /dev/null
+++ b/.nfpm/postinstall.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+set -e
+
+if ! command -V systemctl >/dev/null 2>&1; then
+    echo "Not running SystemD, ignoring"
+	exit 0
+fi
+
+echo "Enabling and starting soft.service"
+systemctl daemon-reload
+systemctl unmask soft.service
+systemctl preset soft.service
+systemctl enable soft.service
+systemctl restart soft.service
diff --git a/.nfpm/postremove.sh b/.nfpm/postremove.sh
new file mode 100755
index 000000000..b94bb042b
--- /dev/null
+++ b/.nfpm/postremove.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+systemctl stop soft.service
+systemctl disable soft.service
+systemctl daemon-reload
diff --git a/.nfpm/soft.conf b/.nfpm/soft.conf
new file mode 100644
index 000000000..d50663825
--- /dev/null
+++ b/.nfpm/soft.conf
@@ -0,0 +1,6 @@
+#SOFT_SERVE_PORT=23231
+#SOFT_SERVE_HOST=domain.tld
+#SOFT_SERVE_BIND_ADDRESS=0.0.0.0
+#SOFT_SERVE_KEY_PATH=.ssh/soft_serve_server_ed25519
+#SOFT_SERVE_INITIAL_ADMIN_KEYS='ssh-ed25519 AAAAC3NzaC1lZDI1...'
+SOFT_SERVE_DATA_PATH=/var/local/lib/soft-serve
diff --git a/.nfpm/soft.service b/.nfpm/soft.service
new file mode 100644
index 000000000..4c292720a
--- /dev/null
+++ b/.nfpm/soft.service
@@ -0,0 +1,45 @@
+[Unit]
+Description=Soft Serve git server 🍦
+Documentation=https://github.com/charmbracelet/soft-serve
+Requires=network-online.target
+After=network-online.target
+
+[Install]
+WantedBy=multi-user.target
+
+# Hardening
+ReadWritePaths=/var/lib/soft-serve
+UMask=0027
+NoNewPrivileges=true
+LimitNOFILE=1048576
+ProtectSystem=strict
+ProtectHome=true
+PrivateUsers=yes
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+CapabilityBoundingSet=
+AmbientCapabilities=
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=1
+ExecStartPre=mkdir -p /var/local/lib/soft-serve
+ExecStart=/usr/bin/soft serve
+EnvironmentFile=-/etc/soft.conf