Add systemd service

4 files changed, 76 insertions, 4 deletions

diff --git a/PKGBUILD b/PKGBUILD
index fc633c6c8182..a76cbfd107d6 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -7,8 +7,18 @@ arch=('x86_64' 'i686' 'pentium4' 'aarch64' 'armv7h' 'armv6h')
 url="https://github.com/aramperes/onetun"
 license=('MIT')
 makedepends=('cargo')
-source=("$url/archive/v$pkgver.tar.gz")
-sha256sums=('3e5e025104be2c601a7b4d528adae0b0fc98ff99f098d5b5d8d6a6ae70d61d58')
+source=(
+    "$url/archive/v$pkgver.tar.gz"
+    "$pkgname@.service"
+    "$pkgname.target"
+    "example.conf"
+)
+sha256sums=(
+    '3e5e025104be2c601a7b4d528adae0b0fc98ff99f098d5b5d8d6a6ae70d61d58'
+    'SKIP'
+    'SKIP'
+    'SKIP'
+)
 
 build() {
     cd "$pkgname-$pkgver"
@@ -16,8 +26,11 @@ build() {
 }
 
 package() {
-    cd "$pkgname-$pkgver"
+    install -Dm644 "$pkgname@.service" -t "$pkgdir/usr/lib/systemd/system/"
+    install -Dm644 "$pkgname.target" -t "$pkgdir/usr/lib/systemd/system/"
+    install -Dm755 "example.conf" -t "$pkgdir/usr/share/$pkgname/"
 
-    mkdir -p "$pkgdir/usr/bin/"
+    cd "$pkgname-$pkgver"
+    install -dm0700 "$pkgdir/etc/$pkgname/"
     install -Dm755 "target/release/onetun" "$pkgdir/usr/bin/onetun"
 }
diff --git a/example.conf b/example.conf
new file mode 100644
index 000000000000..87cdc8c7cbab
--- /dev/null
+++ b/example.conf
@@ -0,0 +1,34 @@
+# This file configures onetun using environment variables
+# See onetun --help for more information
+
+# The address (IP + port) of the Wireguard endpoint (remote).
+ONETUN_ENDPOINT_ADDR=1.2.3.4:51820
+
+# The public key of the Wireguard endpoint (remote).
+ONETUN_ENDPOINT_PUBLIC_KEY=9Ztnedd1CxaLoWcxCCAusdamG2ag3ZRKtTLEEChnN2g=
+
+# Configures a persistent keep-alive for the WireGuard tunnel, in seconds.
+# ONETUN_KEEP_ALIVE=
+
+# Configures the log level and format.
+# ONETUN_LOG=
+
+# The private key of this peer. The corresponding public key should be registered in the Wireguard endpoint.
+# You can also use 'ONETUN_PRIVATE_KEY_FILE=' to specify a file containing the key instead.
+ONETUN_PRIVATE_KEY=uG76ogG4mYlOVe7N9+FEML790Zumecacihitssd/yF0=
+
+# The path to a file containing the private key of this peer. The corresponding public key should be registered in the Wireguard endpoint.
+# ONETUN_PRIVATE_KEY_FILE=
+
+# The source IP to identify this peer as (local).
+ONETUN_SOURCE_PEER_IP=192.168.4.3
+
+# Port forward configurations. The format of each argument is
+# [src_host:]<src_port>:<dst_host>:<dst_port>[:TCP,UDP,...], where [src_host] is the local IP
+# to listen on, <src_port> is the local port to listen on, <dst_host> is the remote peer IP
+# to forward to, and <dst_port> is the remote port to forward to. Environment variables must be
+# of the form 'ONETUN_PORT_FORWARD_[#]', where [#] starts at 1.
+ONETUN_PORT_FORWARD_1=127.0.0.1:80:10.0.0.2:8080:TCP
+ONETUN_PORT_FORWARD_2=127.0.0.1:443:10.0.0.2:8443:TCP,UDP
+ONETUN_PORT_FORWARD_3=127.0.0.1:1900:10.0.0.2:1900
+
diff --git a/onetun.target b/onetun.target
new file mode 100644
index 000000000000..f6bf9c012b40
--- /dev/null
+++ b/onetun.target
@@ -0,0 +1,2 @@
+[Unit]
+Description=onetun instances
diff --git a/onetun@.service b/onetun@.service
new file mode 100644
index 000000000000..5f2881705157
--- /dev/null
+++ b/onetun@.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=onetun %I
+After=network-online.target nss-lookup.target
+Wants=network-online.target nss-lookup.target
+PartOf=onetun.target
+
+[Service]
+Type=simple
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ProtectHome=yes # Prevent service from reading files in /home
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectKernelLogs=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+ExecStart=/usr/bin/onetun
+EnvironmentFile=/etc/onetun/%i.conf
+
+[Install]
+WantedBy=multi-user.target