Add a systemd unit file for hippotatd.service

This mostly replicates the functionality of the existing init script.
It uses the same /etc/default/hippotatd as the init script, but loads it
using EnvironmentFile=.  That means that variable assignments in that
file will work, but not more complicated shell constructs.

systemd doesn't have a convenient way to set the service user from an
environment variable, so users who have set USER in
/etc/default/hippotatd will instead need to create a drop-in file under
/etc/systemd/system/hippotatd.service.d containing something like:

[Service]
User=my-hippotat-user

The init script checks that USER (possibly set by
/etc/default/hippotatd) and LOGNAME (set by systemd based on User=)
agree to make sure that both sources agree on what user hippotatd should
run as.

diff --git a/debian/hippotat-server.hippotatd.service b/debian/hippotat-server.hippotatd.service
new file mode 100644 (file)
index 0000000..b62c3a6
--- /dev/null
+++ b/debian/hippotat-server.hippotatd.service
@@ -0,0 +1,42 @@
+[Unit]
+Description=asinine IP over HTTP server
+Wants=userv.service
+
+[Service]
+# These settings can be overridden in /etc/default/hippotatd
+Environment=DAEMON=/usr/sbin/hippotatd
+Environment=MAIN_CONFIG=/etc/hippotat/main.cfg
+Environment=LOGFACILITY=daemon
+Environment=CHECK_FIREWALL=true
+Environment=HIPPOTATD_ARGS=
+
+EnvironmentFile=-/etc/default/hippotatd
+
+User=_hippotat
+
+# Don't run if unconfigured.
+ExecCondition=egrep -q '^[^ \t#]' ${MAIN_CONFIG}
+
+# Fail if user appears to have overridden USER but not User= (which
+# sets LOGNAME).  To change the user that hippotatd runs as, use a
+# drop-in in /etc/systemd/system/hippotatd.service.d to override
+# User=.
+ExecStartPre=test ${USER} = ${LOGNAME}
+
+# Fetch iptables configuration and check if it's reasonable if
+# CHECK_FIREWALL is "true".
+RuntimeDirectory=hippotat
+RuntimeDirectoryMode=0700
+ExecStartPre=:!sh -c 'if "${CHECK_FIREWALL}"; then \
+  iptables -L -v -n > "${RUNTIME_DIRECTORY}"/firewall_rules; fi'
+ExecStartPre=:sh -c 'if "${CHECK_FIREWALL}"; then \
+  vnetwork="$($DAEMON $HIPPOTATD_ARGS --print-config vnetwork)" && \
+  fgrep " $vnetwork " "${RUNTIME_DIRECTORY}"/firewall_rules > /dev/null; fi'
+
+Type=notify
+ExecStart=:sh -c '\
+  if type authbind >/dev/null 2>&1; then AUTHBIND=authbind; fi; \
+  exec $AUTHBIND "$DAEMON" --syslog-facility="$LOGFACILITY" $HIPPOTATD_ARGS'
+
+[Install]
+WantedBy=multi-user.target

diff --git a/debian/rules b/debian/rules
index e63965cf41163a288dfd8f69812f6e7831559507..3e05817773d1048c737e4f7e0553598242550acf 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -5,6 +5,8 @@
 
 override_dh_installinit:
        dh_installinit --name=hippotatd
+override_dh_installsystemd:
+       dh_installsystemd --name=hippotatd
 
 # For local testing with upstream dependencies:
 #    NAILING_CARGO=nailing-cargo make check

diff --git a/docs/install.md b/docs/install.md
index 227a9b3ddb1bcb9b83caf69700dd4bf3408c729b..631fb05e3a833a128f6053d6a100252996b21a2c 100644 (file)
--- a/docs/install.md
+++ b/docs/install.md
@@ -133,12 +133,13 @@ Startup - server
 
 The `hippotat-server` package
 supplies an init script
+and a systemd unit, either of
 which will start the `hippotatd` server program,
 if `/etc/hippotat/main.cfg` exists.
 If you just created that file, 
 `service hippotatd start` will start the server..
 
-Consult the init script to see options you can put in
+Consult the init script or unit file to see options you can put in
 `/etc/default/hippotat`.