From df92b86604757acf46dd472016b3e20a6d99be60 Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Sat, 24 Jul 2021 15:40:24 +0200
Subject: [PATCH] contrib/systemd: add template files

---
 contrib/systemd/tlstunnel.service  | 29 +++++++++++++++++++++++++++++
 contrib/systemd/tlstunnel.sysusers |  1 +
 contrib/systemd/tlstunnel.tmpfiles |  1 +
 3 files changed, 31 insertions(+)
 create mode 100644 contrib/systemd/tlstunnel.service
 create mode 100644 contrib/systemd/tlstunnel.sysusers
 create mode 100644 contrib/systemd/tlstunnel.tmpfiles

diff --git a/contrib/systemd/tlstunnel.service b/contrib/systemd/tlstunnel.service
new file mode 100644
index 0000000..2b85c9b
--- /dev/null
+++ b/contrib/systemd/tlstunnel.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=tlstunnel reverse proxy
+Documentation=https://sr.ht/~emersion/tlstunnel
+After=network.target
+
+[Service]
+User=tlstunnel
+ExecStart=/usr/bin/tlstunnel
+ExecReload=kill -HUP $MAINPID
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=512
+
+# Hardening options
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=strict
+ReadWritePaths=/var/lib/tlstunnel
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+LockPersonality=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/contrib/systemd/tlstunnel.sysusers b/contrib/systemd/tlstunnel.sysusers
new file mode 100644
index 0000000..2b56a45
--- /dev/null
+++ b/contrib/systemd/tlstunnel.sysusers
@@ -0,0 +1 @@
+u tlstunnel - "tlstunnel user" /var/lib/tlstunnel
diff --git a/contrib/systemd/tlstunnel.tmpfiles b/contrib/systemd/tlstunnel.tmpfiles
new file mode 100644
index 0000000..59ae79a
--- /dev/null
+++ b/contrib/systemd/tlstunnel.tmpfiles
@@ -0,0 +1 @@
+d /var/lib/tlstunnel 0750 tlstunnel tlstunnel -