about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2021-10-25 10:10:42 -0700
committerFranck Cuny <franck@fcuny.net>2022-06-11 14:32:09 -0700
commit2a354d6e9f20576d2050971fbc71f031142fc19b (patch)
tree4915123e7b261bec000070084f9d27e9dfe9e7d3
parentscrobbler: read mpd status before processing song (diff)
downloadworld-2a354d6e9f20576d2050971fbc71f031142fc19b.tar.gz
scrobbler: add a systemd unit file
As I want the scrobbler to be started automatically when I log into my
session, the easiest way to do this is by having a systemd unit file
that I run for my own user.

The unit expects that the binary for the scrobbler is under my $GOPATH,
which is hard coded for now. We also ensure that the binary exists
before starting the unit.

We harness the service with a number of directives.
-rw-r--r--tools/mpd-stats/systemd/mpd-scrobbler.service43
1 files changed, 43 insertions, 0 deletions
diff --git a/tools/mpd-stats/systemd/mpd-scrobbler.service b/tools/mpd-stats/systemd/mpd-scrobbler.service
new file mode 100644
index 0000000..7990208
--- /dev/null
+++ b/tools/mpd-stats/systemd/mpd-scrobbler.service
@@ -0,0 +1,43 @@
+[Unit]
+Description=mpd scrobbler
+Documentation=https://git.fcuny.net/fcuny/mpd-stats
+ConditionFileIsExecutable=%h/workspace/go/bin/mpd-scrobbler
+
+[Service]
+ExecStart=%h/workspace/go/bin/mpd-scrobbler
+Restart=on-failure
+
+PrivateTmp=yes
+ProtectSystem=strict
+NoNewPrivileges=yes
+ProtectHome=yes
+
+# Prohibit access to any kind of namespacing:
+RestrictNamespaces=yes
+
+# Make cgroup file system hierarchy inaccessible:
+ProtectControlGroups=yes
+
+# Deny access to other user’s information in /proc:
+ProtectProc=invisible
+
+# Only allow access to /proc pid files, no other files:
+ProcSubset=pid
+
+# This daemon must not create any new files, but set the umask to 077 just in case.
+UMask=077
+
+# Filter dangerous system calls. The following is listed as safe basic choice
+# in systemd.exec(5):
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+SystemCallFilter=~@resources
+SystemCallErrorNumber=EPERM
+
+# Deny kernel execution domain changing:
+LockPersonality=yes
+
+# Deny memory mappings that are writable and executable:
+MemoryDenyWriteExecute=yes
+