From edf612adeeedc26bc75281041b2fe5ff5f68243a Mon Sep 17 00:00:00 2001
From: Colin <accounts.github@uninsane.org>
Date: Sat, 2 Nov 2024 10:10:15 +0000
Subject: [PATCH] add buffyboard systemd service

---
 CHANGELOG.md                     |  1 +
 buffyboard/buffyboard.service.in | 38 ++++++++++++++++++++++++++++++++
 buffyboard/meson.build           | 17 ++++++++++++++
 meson_options.txt                |  1 +
 4 files changed, 57 insertions(+)
 create mode 100644 buffyboard/buffyboard.service.in

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d5fc7a7..0606389 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@ If a change only affects particular applications, they are listed in parentheses
 - fix: Prevent logging internal LVGL errors to stdout
 - misc: Make scdoc a native dependency to enable cross-compilation (!30, thanks @uninsane)
 - fix: Use usleep to release CPU when possible (!31, thanks @uninsane)
+- feat(buffyboard): Add a buffyboard.service systemd service (!34, @uninsane)
 
 ## 3.2.0 (2024-06-03)
 
diff --git a/buffyboard/buffyboard.service.in b/buffyboard/buffyboard.service.in
new file mode 100644
index 0000000..333f6b0
--- /dev/null
+++ b/buffyboard/buffyboard.service.in
@@ -0,0 +1,38 @@
+[Unit]
+Documentation=https://gitlab.postmarketos.org/postmarketOS/buffybox
+
+[Service]
+ExecStart=@bindir@/buffyboard
+Restart=on-failure
+
+# Allow access to input devices, framebuffer, tty
+DevicePolicy=closed
+DeviceAllow=/dev/uinput rw
+DeviceAllow=char-fb rw
+DeviceAllow=char-input rw
+DeviceAllow=char-tty rw
+# udev requires some limited networking
+RestrictAddressFamilies=AF_NETLINK
+
+# Hardening
+CapabilityBoundingSet=
+NoNewPrivileges=true
+RestrictSUIDSGID=true
+PrivateMounts=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RemoveIPC=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+SystemCallFilter=~@resources
diff --git a/buffyboard/meson.build b/buffyboard/meson.build
index b80c42f..a21ae2e 100644
--- a/buffyboard/meson.build
+++ b/buffyboard/meson.build
@@ -24,3 +24,20 @@ executable('buffyboard',
 
 install_data('buffyboard.conf', install_dir: get_option('sysconfdir'))
 
+systemd = dependency('systemd', required: get_option('systemd-buffyboard-service'))
+if systemd.found()
+    system_unit_dir = systemd.get_variable(
+        pkgconfig: 'systemd_system_unit_dir',
+        pkgconfig_define: ['prefix', get_option('prefix')],
+    )
+
+    configure_file(
+      input : 'buffyboard.service.in',
+      output : 'buffyboard.service',
+      install : true,
+      install_dir : system_unit_dir,
+      configuration : {
+        'bindir' : get_option('prefix') / get_option('bindir'),
+      },
+    )
+endif
diff --git a/meson_options.txt b/meson_options.txt
index 23c6547..5a1bc13 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -1,2 +1,3 @@
 option('with-drm', type: 'feature', value: 'auto', description: 'Enable DRM backend')
 option('man', type: 'boolean', value: true, description: 'Install manual pages')
+option('systemd-buffyboard-service', type: 'feature', value: 'auto', description: 'Install systemd service file for buffyboard')
-- 
GitLab