6 files changed, 43 insertions, 12 deletions

diff --git a/.SRCINFO b/.SRCINFO
index d8e652fb98dc..94e6c84f33a8 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = jicofo
 	pkgdesc = JItsi meet COnference FOcus
 	pkgver = 1.0_589
-	pkgrel = 3
+	pkgrel = 4
 	url = https://github.com/jitsi/jicofo
 	arch = x86_64
 	license = Apache
@@ -12,13 +12,17 @@ pkgbase = jicofo
 	backup = etc/jitsi/jicofo/jicofo.conf
 	backup = etc/jitsi/jicofo/sip-communicator.properties
 	source = jicofo-1.0_589.tar.gz::https://github.com/jitsi/jicofo/archive/stable/jitsi-meet_4627.tar.gz
-	source = jicofo.service
 	source = jicofo.conf
+	source = jicofo.service
 	source = sip-communicator.properties
+	source = sysusers.conf
+	source = tmpfiles.conf
 	sha256sums = eaf298ee6c7c8e394ff58075e8f5f3d5791952ed2b6a1cac5596dad34113736d
-	sha256sums = a28d21abcbb58ac50c974aba04360c3307a37074b420e40abd016e9d9adddd85
 	sha256sums = 3a558324a17011cf48e033ce265d45cc06a0b53e009984e841496f1cd4d7519d
+	sha256sums = 82937c73200a38326e4362fcf0cbc27ad710a0c0c5708e5f84815d10dfd86a86
 	sha256sums = ed3a2c91d3f6c92f3aeae4dd852f04196ed57cc0c8a33da3bae6c1fb26b88294
+	sha256sums = 0681e97ca1e06d8ea7bdec0a874c6fc7a6ea84628923005130cd444547a1b440
+	sha256sums = b4ed1528f804056b43d47a8214f2ed853b31a8cedbafb96c26fae556df554be8
 
 pkgname = jicofo
 
diff --git a/.gitignore b/.gitignore
index a3580d3d9583..5aaf857cbe98 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@
 !jicofo.service
 !jicofo.conf
 !sip-communicator.properties
+!sysusers.conf
+!tmpfiles.conf
diff --git a/PKGBUILD b/PKGBUILD
index a38e9af64ff5..c8cb3aa9a795 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -2,7 +2,7 @@ pkgname=jicofo
 # https://github.com/jitsi/jicofo/releases/latest
 pkgver=1.0_589
 _tag="jitsi-meet_4627"
-pkgrel=3
+pkgrel=4
 pkgdesc="JItsi meet COnference FOcus"
 arch=("x86_64")
 url="https://github.com/jitsi/jicofo"
@@ -12,13 +12,17 @@ makedepends=("git" "unzip" "maven")
 backup=("etc/jitsi/jicofo/jicofo.conf"
         "etc/jitsi/jicofo/sip-communicator.properties")
 source=($pkgname-$pkgver.tar.gz::https://github.com/jitsi/jicofo/archive/stable/${_tag}.tar.gz
-        jicofo.service
         jicofo.conf
-        sip-communicator.properties)
+        jicofo.service
+        sip-communicator.properties
+        sysusers.conf
+        tmpfiles.conf)
 sha256sums=('eaf298ee6c7c8e394ff58075e8f5f3d5791952ed2b6a1cac5596dad34113736d'
-            'a28d21abcbb58ac50c974aba04360c3307a37074b420e40abd016e9d9adddd85'
             '3a558324a17011cf48e033ce265d45cc06a0b53e009984e841496f1cd4d7519d'
-            'ed3a2c91d3f6c92f3aeae4dd852f04196ed57cc0c8a33da3bae6c1fb26b88294')
+            '82937c73200a38326e4362fcf0cbc27ad710a0c0c5708e5f84815d10dfd86a86'
+            'ed3a2c91d3f6c92f3aeae4dd852f04196ed57cc0c8a33da3bae6c1fb26b88294'
+            '0681e97ca1e06d8ea7bdec0a874c6fc7a6ea84628923005130cd444547a1b440'
+            'b4ed1528f804056b43d47a8214f2ed853b31a8cedbafb96c26fae556df554be8')
 
 build() {
     cd "${srcdir}/${pkgname}-stable-$_tag"
@@ -29,7 +33,9 @@ build() {
 package() {
     install -d "${pkgdir}/usr/share"
     cp -R "${srcdir}/${pkgname}-stable-${_tag}/jicofo-1.1-SNAPSHOT/" "${pkgdir}/usr/share/jicofo"
-    install -Dm644 jicofo.service "$pkgdir"/usr/lib/systemd/system/jicofo.service
-    install -Dm644 jicofo.conf "$pkgdir"/etc/jitsi/jicofo/jicofo.conf
-    install -Dm644 sip-communicator.properties "${pkgdir}"/etc/jitsi/jicofo/sip-communicator.properties
+    install -Dm644 jicofo.conf "$pkgdir/etc/jitsi/jicofo/jicofo.conf"
+    install -Dm644 jicofo.service "$pkgdir/usr/lib/systemd/system/jicofo.service"
+    install -Dm644 sip-communicator.properties "${pkgdir}/etc/jitsi/jicofo/sip-communicator.properties"
+    install -Dm644 sysusers.conf "${pkgdir}/usr/lib/sysusers.d/jicofo.conf"
+    install -Dm644 tmpfiles.conf "${pkgdir}/usr/lib/tmpfiles.d/jicofo.conf"
 }
diff --git a/jicofo.service b/jicofo.service
index 788f19552fc8..d540b2474944 100644
--- a/jicofo.service
+++ b/jicofo.service
@@ -1,13 +1,28 @@
 [Unit]
-Description=Jicofo
+Description=JItsi COnference FOcus
 Wants=network-online.target
 After=network-online.target
 
 [Service]
 Type=simple
 EnvironmentFile=/etc/jitsi/jicofo/jicofo.conf
+User=jicofo
 ExecStart=/usr/share/jicofo/jicofo.sh --host=${JICOFO_HOST} --domain=${JICOFO_HOSTNAME} --port=${JICOFO_PORT} --secret=${JICOFO_SECRET} --user_name=${JICOFO_AUTH_USER} --user_domain=${JICOFO_AUTH_DOMAIN} --user_password=${JICOFO_AUTH_PASSWORD} ${JICOFO_OPTS}
+WorkingDirectory=~
+StateDirectory=jicofo
+StateDirectoryMode=0750
+LogsDirectory=jicofo
+LogsDirectoryMode=0750
 Restart=on-failure
 
+# Hardening
+#NoNewPrivileges=yes
+#PrivateTmp=yes
+#PrivateDevices=yes
+#ProtectHome=yes
+#ProtectKernelTunables=yes
+#ProtectControlGroups=yes
+#ProtectSystem=strict
+
 [Install]
 WantedBy=multi-user.target
diff --git a/sysusers.conf b/sysusers.conf
new file mode 100644
index 000000000000..9991955c9e48
--- /dev/null
+++ b/sysusers.conf
@@ -0,0 +1,2 @@
+g jitsi
+u jicofo -:jitsi - /var/lib/jicofo
diff --git a/tmpfiles.conf b/tmpfiles.conf
new file mode 100644
index 000000000000..e06fe710b8da
--- /dev/null
+++ b/tmpfiles.conf
@@ -0,0 +1,2 @@
+Z /etc/jitsi/jicofo 0640 jicofo jitsi
+z /etc/jitsi/jicofo 0750 jicofo jitsi