b684ac0668
This commit simplifies the goreleaser configuration and then adds nfpm support which allows us to build .deb and .rpm for each of the ARCH we support. The deb and rpm packages adds systemd services and users, creates directories etc and should in general give the user a working environment. We should be able to remove a lot of the complicated, PEBCAK inducing documentation after this. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
52 lines
1.1 KiB
Desktop File
52 lines
1.1 KiB
Desktop File
[Unit]
|
|
After=syslog.target
|
|
After=network.target
|
|
Description=headscale coordination server for Tailscale
|
|
X-Restart-Triggers=/etc/headscale/config.yaml
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=headscale
|
|
Group=headscale
|
|
ExecStart=/usr/bin/headscale serve
|
|
Restart=always
|
|
RestartSec=5
|
|
|
|
WorkingDirectory=/var/lib/headscale
|
|
ReadWritePaths=/var/lib/headscale /var/run
|
|
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
|
|
CapabilityBoundingSet=CAP_CHOWN
|
|
LockPersonality=true
|
|
NoNewPrivileges=true
|
|
PrivateDevices=true
|
|
PrivateMounts=true
|
|
PrivateTmp=true
|
|
ProcSubset=pid
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectHome=true
|
|
ProtectHome=yes
|
|
ProtectHostname=true
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
ProtectProc=invisible
|
|
ProtectSystem=strict
|
|
RemoveIPC=true
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
RuntimeDirectory=headscale
|
|
RuntimeDirectoryMode=0750
|
|
StateDirectory=headscale
|
|
StateDirectoryMode=0750
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@chown
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@privileged
|
|
UMask=0077
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|