Files
floonet-strfry/deploy/systemd/floonet-authority.service
T
Goblin 16302ed309 floonet-strfry: hardened strfry relay for the Grin community
Stock strfry + a default-deny write-policy plugin (kinds 0,3,5,13,1059,
10002,10050,27235 only), NIP-42 auth, neutral NIP-11, a bundled name
authority (paid names/uses via GoblinPay), and a config-toggled co-located
mixnet exit. Docker Compose + Caddy + hardened systemd. strfry core stays
stock (plugin + config only). Validated end to end against real strfry.
2026-07-02 08:20:30 -04:00

65 lines
2.1 KiB
Desktop File

# Hardened systemd unit for the Floonet name authority on bare metal.
#
# Install:
# cd name-authority && cargo build --release
# sudo install -m0755 target/release/floonet-name-authority /usr/local/bin/
# sudo install -m0640 ../.env /etc/floonet-authority.env # see .env.example
# sudo install -m0644 ../deploy/systemd/floonet-authority.service /etc/systemd/system/
# sudo systemctl daemon-reload && sudo systemctl enable --now floonet-authority
#
# The service stores only public data plus payment grant state, but it is
# still locked down: dynamic unprivileged user, read-only system, no new
# privileges. Keep the GoblinPay token out of world-readable files (the env
# file above is 0640, or use GOBLINPAY_TOKEN_FILE pointing at a 0400 file).
[Unit]
Description=Floonet name authority (name@domain -> nostr pubkey)
After=network-online.target
Wants=network-online.target
[Service]
Type=exec
# DynamicUser allocates a throwaway unprivileged user at runtime. If you need
# a stable owner for the data dir, comment this out and set `User=floonet`
# (create the user first).
DynamicUser=yes
# Identity/config. Edit /etc/floonet-authority.env (copy of .env.example).
EnvironmentFile=/etc/floonet-authority.env
# Managed state at /var/lib/floonet-authority (created and chowned by systemd).
StateDirectory=floonet-authority
StateDirectoryMode=0750
Environment=FLOONET_NAMES_DB=/var/lib/floonet-authority/names.db
ExecStart=/usr/local/bin/floonet-name-authority
Restart=on-failure
RestartSec=2
# --- hardening ---
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
ProtectClock=yes
ProtectHostname=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
# Only the state directory is writable.
ReadWritePaths=/var/lib/floonet-authority
# No raw sockets; only IP.
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
[Install]
WantedBy=multi-user.target