add systemd files

4 files changed, 84 insertions, 4 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 71e3289fbad5..3ae941ce52fc 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = jool-dkms-git
 	pkgdesc = Open Source SIIT and NAT64 for Linux.
-	pkgver = 4.0.6.r1.g90033801
-	pkgrel = 1
+	pkgver = 4.0.6.r2.g90033801
+	pkgrel = 2
 	url = https://www.jool.mx
 	arch = i686
 	arch = x86_64
diff --git a/PKGBUILD b/PKGBUILD
index 47904e9b5dd4..ffe78409e6fa 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -2,8 +2,8 @@
 
 _pkgbase=jool
 pkgname=${_pkgbase}-dkms-git
-pkgver=4.0.6.r1.g90033801
-pkgrel=1
+pkgver=4.0.6.r2.g90033801
+pkgrel=2
 pkgdesc="Open Source SIIT and NAT64 for Linux."
 arch=('i686' 'x86_64')
 url="https://www.jool.mx"
@@ -37,4 +37,8 @@ package() {
   cd ..
   mkdir -p "${pkgdir}"/usr/src/${_pkgbase}-${ver}/
   cp -r Jool-clean/* "${pkgdir}"/usr/src/${_pkgbase}-${ver}/
+
+ # Install service files
+ install -Dm644 ../jool.service "${pkgdir}"/usr/lib/systemd/system/jool.service
+ install -Dm644 ../jool_siit.service "${pkgdir}"/usr/lib/systemd/system/jool_siit.service
 }
diff --git a/jool.service b/jool.service
new file mode 100644
index 000000000000..5f10bbc26a1c
--- /dev/null
+++ b/jool.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=Stateful NAT64
+Documentation=https://jool.mx/en/documentation.html
+After=network.target
+ConditionPathExists=/etc/jool/jool.conf
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+
+ExecStartPre=/sbin/modprobe jool
+ExecStart=/usr/bin/jool file handle /etc/jool/jool.conf
+ExecStop=/usr/bin/jool -f /etc/jool/jool.conf instance remove
+# Do not modprobe -r; some other instance could be running.
+
+# -- Security Section --
+# Long story short: All the jool clients need is read access on the config
+# files, and the Netlink socket to kernelspace.
+# The ExecStartPre above also needs to be able to modify kernel modules.
+# Everything else should probably be blocked.
+
+CapabilityBoundingSet=CAP_SYS_MODULE CAP_NET_ADMIN
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+InaccessiblePaths=/tmp /dev
+ProtectKernelTunables=yes
+ProtectKernelModules=no
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_NETLINK
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
diff --git a/jool_siit.service b/jool_siit.service
new file mode 100644
index 000000000000..a2cfecc787e7
--- /dev/null
+++ b/jool_siit.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=Stateless IP/ICMP Translator
+Documentation=https://jool.mx/en/documentation.html
+After=network.target
+ConditionPathExists=/etc/jool/jool_siit.conf
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+
+ExecStartPre=/sbin/modprobe jool_siit
+ExecStart=/usr/bin/jool_siit file handle /etc/jool/jool_siit.conf --force
+ExecStop=/usr/bin/jool_siit -f /etc/jool/jool_siit.conf instance remove
+# Do not modprobe -r; some other instance could be running.
+
+# -- Security Section --
+# Long story short: All the jool clients need is read access on the config
+# files, and the Netlink socket to kernelspace.
+# The ExecStartPre above also needs to be able to modify kernel modules.
+# Everything else should probably be blocked.
+
+CapabilityBoundingSet=CAP_SYS_MODULE CAP_NET_ADMIN
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+InaccessiblePaths=/tmp /dev
+ProtectKernelTunables=yes
+ProtectKernelModules=no
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_NETLINK
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target