Add cuprated.service

.github/workflows/release.yml

@@ -50,7 +50,7 @@ jobs:
       - name: Generate Archives
         run: |
           set -e -o pipefail # Exit on failures
-          umask 0022         # 755 permissions
+          umask 0077         # 700 permissions
           export TZ=UTC      # UTC timezone
 
           # Reset archive directory in-case.
@@ -71,8 +71,7 @@ jobs:
 
           # Generate archives for Linux.
           if [ "$RUNNER_OS" == "Linux" ]; then
-              # FIXME: <https://github.com/Cuprate/cuprate/issues/396>
-              # cp binaries/cuprated/cuprated.service target/release/
+              cp binaries/cuprated/cuprated.service target/release/
               cd target/release
 
               if [ "$OS" == "ubuntu-22.04" ]; then
@@ -81,9 +80,7 @@ jobs:
                   NAME="cuprated-${VERSION}-linux-arm64.tar.gz"
               fi
 
-              # FIXME: #396
-              # tar -czpf "$ARCHIVE/$NAME" cuprated LICENSE Cuprated.toml cuprated.service
-              tar -czpf "$ARCHIVE/$NAME" cuprated LICENSE Cuprated.toml
+              tar -czpf "$ARCHIVE/$NAME" cuprated LICENSE Cuprated.toml cuprated.service
           fi
 
           # Generate archives for macOS.

binaries/cuprated/cuprated.service

@@ -0,0 +1,80 @@
+## cuprated.service
+##
+## This file is a relatively hardened systemd
+## service for `cuprated`, it:
+##
+## - requires a `cuprate` user exists
+## - restricts filesystem access to `/home/cuprate`
+## - requires `/home/cuprate/cuprated`
+##   and `/home/cuprate/Cuprated.toml` exist
+##
+## For service file documentation, see:
+## <https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html>
+
+[Unit]
+Description=Cuprate Monero Node
+StartLimitIntervalSec=300
+StartLimitBurst=5
+
+[Service]
+## User.
+User=cuprate
+Group=cuprate
+Type=simple
+
+## Max memory.
+MemoryAccounting=yes
+MemoryHigh=4G
+MemoryMax=4G
+
+## Start command.
+ExecStart=/home/cuprate/cuprated --config-file /home/cuprate/Cuprated.toml
+
+## Restart every 5s on failure.
+KillSignal=SIGINT
+Restart=on-failure
+RestartSec=5s
+
+## Open file limit.
+LimitNOFILE=16384
+
+## On exit, wait 1 minute before sending SIGKILL.
+TimeoutStopSec=60s
+SendSIGKILL=true
+
+## Restrict filesystem access.
+BindPaths=/home/cuprate
+
+## Security hardening.
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+
+CapabilityBoundingSet=
+DeviceAllow=
+LockPersonality=true
+NoNewPrivileges=true
+ProcSubset=pid
+RemoveIPC=true
+SystemCallArchitectures=native
+UMask=0077
+
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=read-only
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+
+[Install]
+WantedBy=multi-user.target

books/user/src/SUMMARY.md

@@ -19,6 +19,9 @@
     - [Ports](resources/ports.md)
     - [IP](resources/ip.md)
 
+- [Deployment](deployment/intro.md)
+    - [systemd](deployment/systemd.md)
+
 - [Platform support](platform.md)
 - [License](license.md)
 

books/user/src/deployment/intro.md

@@ -0,0 +1,2 @@
+# Deployment
+This section covers ways of deploying `cuprated`.

books/user/src/deployment/systemd.md

@@ -0,0 +1,27 @@
+# systemd
+`cuprated` can be ran as a `systemd` service, the below are commands to setup a relatively hardened deployment.
+
+```bash
+# Create the `cuprate` user
+sudo useradd --system --shell /sbin/nologin --home-dir /home/cuprate cuprate
+
+# Move `cuprated` and the config file
+# into the appropriate location.
+mv cuprated Cuprated.toml /home/cuprate/
+
+# Move the service file to the appropriate location.
+sudo mv cuprated.service /etc/systemd/system/
+
+# Start the `cuprated` service.
+sudo systemctl daemon-reload
+sudo systemctl start cuprated
+
+# (Optional) start `cuprated` upon boot.
+sudo systemctl enable cuprated
+```
+
+A relatively hardened [`systemd` service file](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html) for `cuprated`:
+
+```properties
+{{#include ../../../../binaries/cuprated/cuprated.service}}
+```