From 26395cd3595db1988fa64d7c8c0bc814c6631548 Mon Sep 17 00:00:00 2001
From: Sven-Hendrik Haase <svenstaro@gmail.com>
Date: Sun, 18 Apr 2021 09:27:57 +0200
Subject: [PATCH] Add hardened systemd unit file

---
 CHANGELOG.md                 |  1 +
 README.md                    | 23 +++++++++++++++++++++++
 packaging/miniserve@.service | 28 ++++++++++++++++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 packaging/miniserve@.service

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8963b4c..d542b4f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 <!-- next-header -->
 
 ## [Unreleased] - ReleaseDate
+- Add hardened systemd template unit file to `packaging/miniserve@.service`
 
 ## [0.14.0] - 2021-04-18
 - Fix breadcrumbs for right-to-left languages [#489](https://github.com/svenstaro/miniserve/pull/489) (thanks @aliemjay)
diff --git a/README.md b/README.md
index 122d67e..80648b9 100644
--- a/README.md
+++ b/README.md
@@ -205,6 +205,29 @@ few examples with common paths are provided below:
     # For fish
     miniserve --print-completions fish > ~/.config/fish/completions/miniserve.fish
 
+## systemd
+
+A hardened systemd-compatible unit file can be found in `packaging/miniserve@.service`. You could
+install this to `/etc/systemd/system/miniserve@.service` and start and enable `miniserve` as a
+daemon on a specific serve path `/my/serve/path` like this:
+
+    systemctl enable --now miniserve@-my-serve-path
+
+Keep in mind that you'll have to use `systemd-escape` to properly escape a path for this usage.
+
+In case you want to customize the particular flags that miniserve launches with, you can use
+
+    systemctl edit miniserve@-my-serve-path
+
+and set the `[Service]` part in the resulting `override.conf` file. For instance:
+
+    [Service]
+    ExecStart=/usr/bin/miniserve --enable-tar --enable-zip --no-symlinks --verbose -i ::1 -p 1234 --title Saugeland --color-scheme monokai --color-scheme-dark monokai -- %I
+
+Make sure to leave the `%I` at the very end in place or the wrong path might be served. You
+might additionally have to override `IPAddressAllow` and `IPAddressDeny` if you plan on making
+miniserve directly available on a public interface.
+
 ## Binding behavior
 
 For convenience reasons, miniserve will try to bind on all interfaces by default (if no `-i` is provided).
diff --git a/packaging/miniserve@.service b/packaging/miniserve@.service
new file mode 100644
index 0000000..9dc5fe0
--- /dev/null
+++ b/packaging/miniserve@.service
@@ -0,0 +1,28 @@
+[Unit]
+Description=miniserve for %i
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+ExecStart=/usr/bin/miniserve -- %I
+
+IPAccounting=yes
+IPAddressAllow=localhost
+IPAddressDeny=any
+DynamicUser=yes
+PrivateTmp=yes
+PrivateUsers=yes
+PrivateDevices=yes
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
+
+[Install]
+WantedBy=multi-user.target