Files
floonet-rs/deploy/floonet-rs.service
Goblin 9fa97ebb5c
Test and build / test_floonet-rs (push) Has been cancelled
floonet-rs: hardened nostr-rs-relay for the Grin community
nostr-rs-relay + a default-deny admission pipeline (kinds 0,3,5,13,1059,
10002,10050,27235 only), NIP-42 auth, neutral NIP-11, a built-in name
authority (paid names via GoblinPay), and a config-toggled co-located
mixnet exit supervisor. Single binary + installer + hardened systemd, or
Docker Compose. Relay core untouched (additive admission + authority).
2026-07-02 08:22:18 -04:00

66 lines
2.1 KiB
Desktop File

# Hardened systemd unit for floonet-rs on bare metal.
#
# Install (or just run deploy/install.sh):
# sudo install -m0755 floonet-rs /usr/local/bin/
# sudo install -m0755 floonet-mixexit /usr/local/bin/ # optional, mixnet exit
# sudo install -d -m0755 /etc/floonet-rs
# sudo install -m0600 config.toml /etc/floonet-rs/config.toml
# sudo install -m0644 deploy/floonet-rs.service /etc/systemd/system/
# sudo systemctl daemon-reload && sudo systemctl enable --now floonet-rs
#
# The service is locked down: dynamic unprivileged user, read-only
# system, no new privileges; only its state directory is writable.
[Unit]
Description=floonet-rs relay (Floonet relay for the Grin community Nostr network)
After=network-online.target
Wants=network-online.target
[Service]
Type=exec
# DynamicUser allocates a throwaway unprivileged user at runtime. If you
# need a stable owner for the data dir, comment this out and set
# `User=floonet` (create the user first).
DynamicUser=yes
# Managed state at /var/lib/floonet-rs (created and chowned by systemd).
# config.toml's data_directory and exit.data_dir point inside it.
StateDirectory=floonet-rs
StateDirectoryMode=0750
# Optional environment overrides (paid mode without editing config.toml):
# FLOONET_PAY_MODE, FLOONET_GOBLINPAY_URL, FLOONET_GOBLINPAY_TOKEN,
# FLOONET_NAME_PRICE_GRIN. Keep the file 0600 when it holds a token.
#EnvironmentFile=-/etc/floonet-rs/env
ExecStart=/usr/local/bin/floonet-rs --config /etc/floonet-rs/config.toml
Restart=on-failure
RestartSec=2
# --- hardening ---
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
ProtectClock=yes
ProtectHostname=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
# Only the state directory is writable.
ReadWritePaths=/var/lib/floonet-rs
# No raw sockets; only IP (and unix for the database).
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
[Install]
WantedBy=multi-user.target