Add systemd --user service running from ~/jmusicbot

4 files changed, 81 insertions, 6 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 34a1506e3b45..928f2cd4d5b5 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = jmusicbot
 	pkgdesc = A cross-platform Discord music bot with a clean interface
 	pkgver = 0.3.6
-	pkgrel = 2
+	pkgrel = 3
 	url = https://github.com/jagrosh/MusicBot
 	arch = any
 	license = Apache
@@ -12,8 +12,10 @@ pkgbase = jmusicbot
 	source = JMusicBot-0.3.6.tar.gz::https://github.com/jagrosh/MusicBot/archive/refs/tags/0.3.6.tar.gz
 	source = fix-pom.xslt
 	source = jmusicbot@.service
+	source = jmusicbot.service
 	sha384sums = 84f26730f6dbda43780e329a85fe826f84c9ce42f431ceafb02a55f53cf2613b4b5a4a630904ab95a6131bcc96b4aeff
 	sha384sums = b14dcf390d40f51d40b2aee4e8c44722837ad7a9850ecfd48174c74e8ed50709b6a64a817c301a2186e6386c26de0440
-	sha384sums = 12ca3d4af2f117fee113034cca66558aa2cec47865245f58b1a4e71ae2cebd24783e14f644292e9344b290c1962448a8
+	sha384sums = 0e2f5b34b17ab99c425712b8e164493538c0d8df45b9d997649dbf6332bbdef7d6ce33e195ed331cf02d132ee2fa7e88
+	sha384sums = b57c88e240c167debd323399b4144a1f0a566205ccfe54075f06481fe6cfb105f92bc94536575b84bbc1607c102b5e75
 
 pkgname = jmusicbot
diff --git a/PKGBUILD b/PKGBUILD
index f38e6f509e8e..6ef1df7ca6b4 100755
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -4,7 +4,7 @@ _appname='jmusicbot'
 pkgname="$_appname"
 _pkgverUpstream="0.3.6"
 pkgver="${_pkgverUpstream//-/.}"
-pkgrel=2
+pkgrel=3
 pkgdesc="A cross-platform Discord music bot with a clean interface"
 arch=('any')
 url='https://github.com/jagrosh/MusicBot'
@@ -13,10 +13,18 @@ depends=('java-runtime-headless>=11')
 makedepends=('java-environment>=11' 'maven' 'libxslt')
 source=("JMusicBot-${_pkgverUpstream}.tar.gz::https://github.com/jagrosh/MusicBot/archive/refs/tags/${_pkgverUpstream}.tar.gz"
         "fix-pom.xslt"
-        "jmusicbot@.service")
+        "jmusicbot@.service"
+        "jmusicbot.service")
 sha384sums=('84f26730f6dbda43780e329a85fe826f84c9ce42f431ceafb02a55f53cf2613b4b5a4a630904ab95a6131bcc96b4aeff'
             'b14dcf390d40f51d40b2aee4e8c44722837ad7a9850ecfd48174c74e8ed50709b6a64a817c301a2186e6386c26de0440'
-            '12ca3d4af2f117fee113034cca66558aa2cec47865245f58b1a4e71ae2cebd24783e14f644292e9344b290c1962448a8')
+            '0e2f5b34b17ab99c425712b8e164493538c0d8df45b9d997649dbf6332bbdef7d6ce33e195ed331cf02d132ee2fa7e88'
+            'b57c88e240c167debd323399b4144a1f0a566205ccfe54075f06481fe6cfb105f92bc94536575b84bbc1607c102b5e75')
+
+# Build parameters
+# Uncomment and edit to build with a specific Java Development Kit
+#export JAVA_HOME="/usr/lib/jvm/java-11-openjdk"
+# Uncomment and edit to use a specific Maven installation
+#export MVN_HOME="/opt/maven"
 
 build() {
     local buildDir="${srcdir}/MusicBot-${_pkgverUpstream}"
@@ -89,4 +97,10 @@ package() {
     cd "${pkgdir}/usr/lib/systemd/system"
     cp --target-directory . "${srcdir}/jmusicbot@.service"
     chmod u=rwx,go=rx "jmusicbot@.service"
+
+    # Place the systemd user service
+    mkdir --parents "${pkgdir}/usr/lib/systemd/user"
+    cd "${pkgdir}/usr/lib/systemd/user"
+    cp --target-directory . "${srcdir}/jmusicbot.service"
+    chmod u=rwx,go=rx "jmusicbot.service"
 }
diff --git a/jmusicbot.service b/jmusicbot.service
new file mode 100755
index 000000000000..d75cca664b3b
--- /dev/null
+++ b/jmusicbot.service
@@ -0,0 +1,59 @@
+# JMusicBot minimally-privileged systemd user service
+#
+#  - Working directory: "~/jmusicbot"
+#  - Configuration:     "~/jmusicbot/config.txt"
+#  - State:             "~/jmusicbot/serversettings.json"
+#  - Playlists dir:     "~/jmusicbot/Playlists"
+#
+# Setup steps, in bash:
+#  - Create directory "jmusicbot" in your home directory:
+#    $ mkdir ~/jmusicbot
+#  - Go to the new "jmusicbot" directory:
+#    $ cd ~/jmusicbot
+#  - Copy the reference configuration file to the new directory:
+#    $ cp /usr/share/jmusicbot/reference.conf config.txt
+#  - Edit configuration file to your liking:
+#    $ nano config.txt
+#  - Start service instance:
+#    $ systemctl --user start jmusicbot.service
+
+[Unit]
+Description=JMusicBot at %h/jmusicbot
+
+[Install]
+WantedBy=default.target
+
+[Service]
+Type=exec
+ExecStart=/usr/bin/java -Dnogui=true -jar /usr/bin/JMusicBot.jar
+WorkingDirectory=%h/jmusicbot
+Restart=always
+RestartSec=5
+
+# Security and hardening options copied from
+# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
+NoNewPrivileges=yes
+SystemCallArchitectures=native
+PrivateTmp=yes
+# PrivateDevices is not supported in --user services
+#PrivateDevices=yes
+DevicePolicy=closed
+# Deny write access to the entire file system
+ProtectSystem=strict
+# Selectively allow write access for required paths
+ReadWritePaths=%h/jmusicbot
+# Do not allow any access whatsoever to /home, /root and /run/user
+ProtectHome=yes
+ProtectControlGroups=yes
+# ProtectKernelModules is not supported in --user services
+#ProtectKernelModules=yes
+ProtectKernelTunables=yes
+## Only AF_INET and AF_INET6
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+# This service uses Java, which uses a virtual machine, and this option
+# is not compatible with virtual machines
+#MemoryDenyWriteExecute=yes
+LockPersonality=yes
diff --git a/jmusicbot@.service b/jmusicbot@.service
index c4f205cc3ea6..d613cd4d767f 100755
--- a/jmusicbot@.service
+++ b/jmusicbot@.service
@@ -26,7 +26,7 @@
 #    # systemctl start "jmusicbot@$(systemd-escape "my-channel").service"
 
 [Unit]
-Description=JMusicBot instance "%I"
+Description=JMusicBot at /srv/jmusicbot-%I
 Requires=network.target local-fs.target
 After=network.target local-fs.target