dnc: fix systemd service

Remove the needs of dnc user. We should not force admins to create
a new dedicated user.
Use a env variable to cache data and add fallbacks to avoid any crash

Change-Id: If8fa2ced856c36f2d63870f9b6a6fc7839d91040

tools/common.cpp

@@ -29,6 +29,20 @@
 
 namespace dhtnet {
 
+std::filesystem::path cachePath()
+{
+    auto* cache_path = getenv("DHTNET_CACHE_DIR");
+    if (cache_path) {
+        return std::filesystem::path(cache_path);
+    }
+    auto* home = getenv("HOME");
+    if (home) {
+        return std::filesystem::path(home) / ".cache" / "dhtnet";
+    }
+    // If user got no HOME and no DHTNET_CACHE_DIR set, use /tmp
+    return std::filesystem::path("/tmp");
+}
+
 std::unique_ptr<ConnectionManager::Config>
 connectionManagerConfig(dht::crypto::Identity identity,
                         const std::string& bootstrap,
@@ -41,7 +55,6 @@ connectionManagerConfig(dht::crypto::Identity identity,
                         const std::string& turn_pass,
                         const std::string& turn_realm)
 {
-    std::filesystem::create_directories(PATH/"certstore");
     // DHT node creation: To make a connection manager at first a DHT node should be created
     dht::DhtRunner::Config dhtConfig;
     dhtConfig.dht_config.id = identity;
@@ -70,7 +83,7 @@ connectionManagerConfig(dht::crypto::Identity identity,
     config->id = identity;
     config->ioContext = ioContext;
     config->certStore = certStore;
-    config->cachePath = PATH;
+    config->cachePath = cachePath();
     config->factory = iceFactory;
     config->logger = logger;
     if (!turn_host.empty()){

tools/common.h

@@ -25,7 +25,8 @@ namespace dhtnet {
 
 using Buffer = std::shared_ptr<std::vector<uint8_t>>;
 constexpr size_t BUFFER_SIZE = 64 * 1024;
-const std::filesystem::path PATH = std::filesystem::path(getenv("HOME")) / ".dhtnet";
+
+std::filesystem::path cachePath();
 
 std::unique_ptr<ConnectionManager::Config> connectionManagerConfig(
     dht::crypto::Identity identity,

tools/dnc/README.md

@@ -46,8 +46,10 @@ To facilitate SSH connections to a remote device, dnc establishes a DHT network
 To initiate, generate a certificate authority and a server certificate:
 
 ```shell
-sudo dhtnet-crtmgr --setup -o /etc/dhtnet/
+sudo dhtnet-crtmgr --setup -o /usr/local/etc/dhtnet/
 ```
+The server will cache some values in `/var/run/dhtnet`. If this must be changed,
+you can remove the line `Environment="DHTNET_CACHE_DIR=/var/run/dhtnet"` in `dnc.service.in`.
 Then, launch the dnc service:
 ```shell
 systemctl start dnc.service

tools/dnc/dnc.cpp

@@ -62,9 +62,7 @@ Dnc::Dnc(dht::crypto::Identity identity,
          const bool anonymous)
     : logger(dht::log::getStdLogger())
     , ioContext(std::make_shared<asio::io_context>()),
-    iceFactory(std::make_shared<IceTransportFactory>(logger)),
-    certStore(std::make_shared<tls::CertificateStore>(PATH/"certstore", logger)),
-    trustStore(std::make_shared<tls::TrustStore>(*certStore))
+    iceFactory(std::make_shared<IceTransportFactory>(logger))
 {
     ioContextRunner = std::thread([context = ioContext, logger = logger] {
         try {
@@ -76,6 +74,9 @@ Dnc::Dnc(dht::crypto::Identity identity,
         }
     });
 
+    certStore = std::make_shared<tls::CertificateStore>(cachePath()/"certStore", logger);
+    trustStore = std::make_shared<tls::TrustStore>(*certStore);
+
     auto ca = identity.second->issuer;
     trustStore->setCertificateStatus(ca->getId().toString(), tls::TrustStore::PermissionStatus::ALLOWED);
 

tools/dnc/systemd/dnc.service.in

@@ -2,41 +2,19 @@
 Description=Dnc server
 Documentation=man:dnc(1)
 After=network.target
+Wants=network-online.target
+Documentation=https://git.jami.net/savoirfairelinux/dhtnet/blob/master/tools/dvpn/README.md
 
 [Service]
-Type=simple
-User=dnc
-Group=dnc
+Type=exec
+Environment="DHTNET_CACHE_DIR=/var/run/dhtnet"
 ExecStart=@bindir@/dnc -l -d @sysconfdir@/dhtnet/dnc.yaml -c @sysconfdir@/dhtnet/id/id-server.crt -p @sysconfdir@/dhtnet/id/id-server.pem
 Restart=on-failure
-RestartSec=2s
-LimitNOFILE=65536
-DynamicUser=yes
-KillMode=process
-WorkingDirectory=/tmp
-
-# Hardening
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-LockPersonality=yes
-NoNewPrivileges=yes
-PrivateDevices=yes
-PrivateTmp=yes
-PrivateUsers=yes
-ProtectClock=yes
-ProtectControlGroups=yes
-ProtectHome=yes
-ProtectHostname=yes
-ProtectKernelLogs=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
 ProtectSystem=strict
-ReadOnlyDirectories=/
-ReadWriteDirectories=-/proc/self
-ReadWriteDirectories=-/var/run
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-RestrictNamespaces=yes
-RestrictRealtime=yes
-SystemCallArchitectures=native
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+PrivateDevices=yes
 SystemCallFilter=@system-service
 
 [Install]

tools/dsh/dsh.cpp

@@ -95,7 +95,7 @@ dhtnet::Dsh::Dsh(dht::crypto::Identity identity,
     :logger(dht::log::getStdLogger())
     , ioContext(std::make_shared<asio::io_context>()),
     iceFactory(std::make_shared<IceTransportFactory>(logger)),
-    certStore(std::make_shared<tls::CertificateStore>(PATH/"certstore", logger)),
+    certStore(std::make_shared<tls::CertificateStore>(cachePath()/"certstore", logger)),
     trustStore(std::make_shared<tls::TrustStore>(*certStore))
 {
     ioContext = std::make_shared<asio::io_context>();

tools/dvpn/dvpn.cpp

@@ -166,7 +166,7 @@ dhtnet::Dvpn::Dvpn(dht::crypto::Identity identity,
     : logger(dht::log::getStdLogger())
     , ioContext(std::make_shared<asio::io_context>()),
     iceFactory(std::make_shared<IceTransportFactory>(logger)),
-    certStore(std::make_shared<tls::CertificateStore>(PATH/"certstore", logger)),
+    certStore(std::make_shared<tls::CertificateStore>(cachePath()/"certstore", logger)),
     trustStore(std::make_shared<tls::TrustStore>(*certStore))
 {
     ioContextRunner = std::thread([context = ioContext, logger = logger] {