Add systemd service

3 files changed, 67 insertions, 6 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 744c64c8a1dc..6d094aaad550 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -13,6 +13,8 @@ pkgbase = matrix-media-repo
 	depends = imagemagick
 	provides = matrix-media-repo
 	source = git+https://github.com/t2bot/matrix-media-repo.git#tag=v1.3.4
+	source = matrix-media-repo.service
+	sha256sums = SKIP
 	sha256sums = SKIP
 
 pkgname = matrix-media-repo
diff --git a/PKGBUILD b/PKGBUILD
index fe0b215d8fd7..4e62e45b18c0 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -9,12 +9,8 @@ depends=("glibc" "libheif" "libde265" "imagemagick")
 makedepends=("go" "git")
 backup=()
 provides=("matrix-media-repo")
-source=("git+https://github.com/t2bot/matrix-media-repo.git#tag=v${pkgver}")
-sha256sums=('SKIP')
-
-function prepare() {
-	cd "${srcdir}/matrix-media-repo"
-}
+source=("git+https://github.com/t2bot/matrix-media-repo.git#tag=v${pkgver}" "matrix-media-repo.service")
+sha256sums=("SKIP" "SKIP")
 
 function build() {
 	cd "${srcdir}/matrix-media-repo"
@@ -37,4 +33,9 @@ function package() {
 	mkdir -p "${pkgdir}/usr/lib/matrix-media-repo"
 	cp "${srcdir}/matrix-media-repo/bin"/* "${pkgdir}/usr/lib/matrix-media-repo"
 	chmod 755 -R "${pkgdir}/usr/lib/matrix-media-repo"
+	install -Dm644 "${srcdir}/matrix-media-repo.service" "${pkgdir}/usr/lib/systemd/system/matrix-media-repo.service"
+	echo "Home directory for Matrix Media Repo is at: /var/lib/matrix-media-repo"
+	echo "Configure MMR in /etc/matrix-media-repo.yaml"
+	install -d "${pkgdir}/etc"
+	touch "${pkgdir}/etc/matrix-media-repo.yaml"
 }
diff --git a/matrix-media-repo.service b/matrix-media-repo.service
new file mode 100755
index 000000000000..629017d53d9e
--- /dev/null
+++ b/matrix-media-repo.service
@@ -0,0 +1,58 @@
+[Unit]
+Description=Matrix Media Repo
+RequiresMountsFor=/var/lib/private/matrix-media-repo
+After=network.target
+
+[Service]
+OOMPolicy=stop
+OOMScoreAdjust=10
+
+DynamicUser=yes
+ExecStartPre=/usr/bin/cp "/etc/matrix-media-repo.yaml" "/var/lib/private/matrix-media-repo/config.yaml"
+ExecStart=/usr/lib/matrix-media-repo/media_repo -config /var/lib/private/matrix-media-repo/config.yaml
+Restart=always
+StateDirectory=matrix-media-repo
+WorkingDirectory=/var/lib/private/matrix-media-repo
+#CPUQuota=35%
+CPUWeight=80
+RestartSec=1s
+
+ProtectProc=invisible
+PrivateUsers=yes
+RestrictNamespaces=yes
+UMask=077
+
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+#SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@swap
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target