From a31a59e838b0b6c5565b457607bcf5cf42ce328c Mon Sep 17 00:00:00 2001
From: Mike Heier <mike@heier.io>
Date: Wed, 12 Jul 2023 03:00:29 +0000
Subject: [PATCH] add service file

---
 env              |  6 ++++++
 satdress.service | 44 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 env
 create mode 100644 satdress.service

diff --git a/env b/env
new file mode 100644
index 0000000..8e76edc
--- /dev/null
+++ b/env
@@ -0,0 +1,6 @@
+PORT=17422
+DOMAIN=bitmia.com
+SECRET=askdbasjdhvakjvsdjasd
+SITE_OWNER_URL=https://t.me/qecez
+SITE_OWNER_NAME=@qecez
+SITE_NAME=Bitmia
diff --git a/satdress.service b/satdress.service
new file mode 100644
index 0000000..87626ca
--- /dev/null
+++ b/satdress.service
@@ -0,0 +1,44 @@
+[Unit]
+Description=Satdress: federated Lightning addresses server
+After=network.target
+
+[Service]
+Type=simple
+User=root
+Group=root
+WorkingDirectory=/mnt/data/satdress/data
+ExecStart=/usr/local/bin/satdress
+Restart=on-failure
+RestartSec=10
+EnvironmentFile=/etc/satdress/env
+
+# Sandboxing options to harden security
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+#NoNewPrivileges=yes
+#PrivateTmp=yes
+#PrivateDevices=yes
+#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+#RestrictNamespaces=yes
+#RestrictRealtime=yes
+#DevicePolicy=closed
+#ProtectSystem=full
+#ProtectControlGroups=yes
+#ProtectKernelModules=yes
+#ProtectKernelTunables=yes
+#LockPersonality=yes
+#SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
+[Install]
+WantedBy=multi-user.target