From 5a3ee4f9c49c10b79d5f5de300108afde3b4b614 Mon Sep 17 00:00:00 2001
From: hg <36822348+hg@users.noreply.github.com>
Date: Fri, 24 Nov 2023 01:15:07 +0600
Subject: [PATCH] Add systemd .service files (#1316) (#1318)

Add systemd .service files
---
 release_files/systemd/env                     |  3 ++
 .../systemd/netbird-management.service        | 41 +++++++++++++++++++
 release_files/systemd/netbird-signal.service  | 41 +++++++++++++++++++
 release_files/systemd/netbird@.service        | 41 +++++++++++++++++++
 4 files changed, 126 insertions(+)
 create mode 100644 release_files/systemd/env
 create mode 100644 release_files/systemd/netbird-management.service
 create mode 100644 release_files/systemd/netbird-signal.service
 create mode 100644 release_files/systemd/netbird@.service

diff --git a/release_files/systemd/env b/release_files/systemd/env
new file mode 100644
index 000000000..9e7f2e138
--- /dev/null
+++ b/release_files/systemd/env
@@ -0,0 +1,3 @@
+# Extra flags you might want to pass to the daemon
+FLAGS=""
+
diff --git a/release_files/systemd/netbird-management.service b/release_files/systemd/netbird-management.service
new file mode 100644
index 000000000..7fc0aa9ed
--- /dev/null
+++ b/release_files/systemd/netbird-management.service
@@ -0,0 +1,41 @@
+[Unit]
+Description=Netbird Management
+Documentation=https://netbird.io/docs
+After=network-online.target syslog.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+EnvironmentFile=-/etc/default/netbird-management
+ExecStart=/usr/bin/netbird-mgmt management $FLAGS
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=10
+CacheDirectory=netbird
+ConfigurationDirectory=netbird
+LogDirectory=netbird
+RuntimeDirectory=netbird
+StateDirectory=netbird
+
+# sandboxing
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateMounts=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=yes
+RemoveIPC=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/release_files/systemd/netbird-signal.service b/release_files/systemd/netbird-signal.service
new file mode 100644
index 000000000..c7e775f49
--- /dev/null
+++ b/release_files/systemd/netbird-signal.service
@@ -0,0 +1,41 @@
+[Unit]
+Description=Netbird Signal
+Documentation=https://netbird.io/docs
+After=network-online.target syslog.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+EnvironmentFile=-/etc/default/netbird-signal
+ExecStart=/usr/bin/netbird-signal run $FLAGS
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=10
+CacheDirectory=netbird
+ConfigurationDirectory=netbird
+LogDirectory=netbird
+RuntimeDirectory=netbird
+StateDirectory=netbird
+
+# sandboxing
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateMounts=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=yes
+RemoveIPC=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/release_files/systemd/netbird@.service b/release_files/systemd/netbird@.service
new file mode 100644
index 000000000..39e3b6b23
--- /dev/null
+++ b/release_files/systemd/netbird@.service
@@ -0,0 +1,41 @@
+[Unit]
+Description=Netbird Client (%i)
+Documentation=https://netbird.io/docs
+After=network-online.target syslog.target NetworkManager.service
+Wants=network-online.target
+
+[Service]
+Type=simple
+EnvironmentFile=-/etc/default/netbird
+ExecStart=/usr/bin/netbird service run --log-file /var/log/netbird/client-%i.log --config /etc/netbird/%i.json --daemon-addr unix:///var/run/netbird/%i.sock $FLAGS
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=10
+CacheDirectory=netbird
+ConfigurationDirectory=netbird
+LogDirectory=netbird
+RuntimeDirectory=netbird
+StateDirectory=netbird
+
+# sandboxing
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateMounts=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=no  # needed to load wg module for kernel-mode WireGuard
+ProtectKernelTunables=no
+ProtectSystem=yes
+RemoveIPC=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
+[Install]
+WantedBy=multi-user.target
+