mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
042d03af2a
Tauri's `deb` and `rpm` bundler have support for configuring maintainer scripts. We can therefore just use those instead of tearing apart the `deb` file that it creates and rebuilding it ourselves. Our `rpm` packaging is currently completely broken as well. I couldn't get it to work on CentOS 9 at all due to missing dependencies, likely introduced by our move to Tauri v2. It installs fine on CentOS 10 though, assuming that the user has the EPEL repository installed which provides the WebView dependency. I extended the docs to reflect this. Hence, with this PR, we drop support for CentOS 9 and now require CentOS 10. This allows us to remove a lot of cruft from our bundling process and instead entirely rely on the Tauri provided bundler. Lastly, for consistency with other platforms, the name of the application in places like app drawers has been changed from "Firezone Client" to just "Firezone". --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
53 lines
1.4 KiB
Desktop File
53 lines
1.4 KiB
Desktop File
[Unit]
|
|
Description=Firezone Client Tunnel Service
|
|
After=systemd-resolved.service
|
|
Wants=systemd-resolved.service
|
|
|
|
[Service]
|
|
AmbientCapabilities=CAP_NET_ADMIN
|
|
CapabilityBoundingSet=CAP_CHOWN CAP_NET_ADMIN
|
|
DeviceAllow=/dev/net/tun
|
|
LockPersonality=true
|
|
LogsDirectory=dev.firezone.client
|
|
# Allow anyone to read log files
|
|
LogsDirectoryMode=755
|
|
MemoryDenyWriteExecute=true
|
|
NoNewPrivileges=true
|
|
PrivateMounts=true
|
|
PrivateTmp=true
|
|
# We need to be real root, not just root in our cgroup
|
|
PrivateUsers=false
|
|
ProcSubset=pid
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectHome=true
|
|
ProtectHostname=true
|
|
ProtectKernelLogs=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
# Docs say it's useless when running as root, but defense-in-depth
|
|
ProtectProc=invisible
|
|
ProtectSystem=strict
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
RuntimeDirectory=dev.firezone.client
|
|
StateDirectory=dev.firezone.client
|
|
SystemCallArchitectures=native
|
|
# TODO: Minimize
|
|
SystemCallFilter=@aio @basic-io @file-system @io-event @ipc @network-io @signal @system-service
|
|
UMask=077
|
|
|
|
Environment="LOG_DIR=/var/log/dev.firezone.client"
|
|
EnvironmentFile=-/etc/default/firezone-client-tunnel
|
|
|
|
ExecStart=firezone-client-tunnel run
|
|
Type=notify
|
|
# Unfortunately we need root to control DNS
|
|
User=root
|
|
Group=firezone-client
|
|
|
|
[Install]
|
|
WantedBy=default.target
|