From 1a91a132994fe8c402e4bf22fdc4421ddde683cb Mon Sep 17 00:00:00 2001
From: Ben Harris <bjh21@bjh21.me.uk>
Date: Sun, 16 Dec 2018 19:24:46 +0000
Subject: [PATCH] clunk.service: stop running clunk as root.

A combination of DynamicUser, SupplementaryGroups, an StateDirectory
allows it to have close to the minimum necessary privilege.
---
 clunk.service | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/clunk.service b/clunk.service
index 510c3fe..398af7a 100644
--- a/clunk.service
+++ b/clunk.service
@@ -1,10 +1,13 @@
-# systemd unit file for clunk(8)
+# Example systemd unit file for clunk(8) on Raspbian
 [Unit]
 Description=pulse clock driver (clunk)
 Documentation=man:clunk(8)
 
 [Service]
-ExecStart=clunk -f /var/lib/clunk.state -C pinctrl-bcm2835 -L 17
+DynamicUser=true
+SupplementaryGroups=gpio
+StateDirectory=clunk
+ExecStart=clunk -f /var/lib/clunk/clunk.state -C pinctrl-bcm2835 -L 17
 
 [Install]
 WantedBy=multi-user.target
-- 
2.30.2