Skip to content
Snippets Groups Projects
Commit 0e5f0761 authored by Amna Snene's avatar Amna Snene Committed by Sébastien Blin
Browse files

dnc: fix systemd service

Remove the needs of dnc user. We should not force admins to create
a new dedicated user.
Use a env variable to cache data and add fallbacks to avoid any crash

Change-Id: If8fa2ced856c36f2d63870f9b6a6fc7839d91040
parent 0da84a73
No related branches found
No related tags found
No related merge requests found
...@@ -29,6 +29,20 @@ ...@@ -29,6 +29,20 @@
namespace dhtnet { namespace dhtnet {
std::filesystem::path cachePath()
{
auto* cache_path = getenv("DHTNET_CACHE_DIR");
if (cache_path) {
return std::filesystem::path(cache_path);
}
auto* home = getenv("HOME");
if (home) {
return std::filesystem::path(home) / ".cache" / "dhtnet";
}
// If user got no HOME and no DHTNET_CACHE_DIR set, use /tmp
return std::filesystem::path("/tmp");
}
std::unique_ptr<ConnectionManager::Config> std::unique_ptr<ConnectionManager::Config>
connectionManagerConfig(dht::crypto::Identity identity, connectionManagerConfig(dht::crypto::Identity identity,
const std::string& bootstrap, const std::string& bootstrap,
...@@ -41,7 +55,6 @@ connectionManagerConfig(dht::crypto::Identity identity, ...@@ -41,7 +55,6 @@ connectionManagerConfig(dht::crypto::Identity identity,
const std::string& turn_pass, const std::string& turn_pass,
const std::string& turn_realm) const std::string& turn_realm)
{ {
std::filesystem::create_directories(PATH/"certstore");
// DHT node creation: To make a connection manager at first a DHT node should be created // DHT node creation: To make a connection manager at first a DHT node should be created
dht::DhtRunner::Config dhtConfig; dht::DhtRunner::Config dhtConfig;
dhtConfig.dht_config.id = identity; dhtConfig.dht_config.id = identity;
...@@ -70,7 +83,7 @@ connectionManagerConfig(dht::crypto::Identity identity, ...@@ -70,7 +83,7 @@ connectionManagerConfig(dht::crypto::Identity identity,
config->id = identity; config->id = identity;
config->ioContext = ioContext; config->ioContext = ioContext;
config->certStore = certStore; config->certStore = certStore;
config->cachePath = PATH; config->cachePath = cachePath();
config->factory = iceFactory; config->factory = iceFactory;
config->logger = logger; config->logger = logger;
if (!turn_host.empty()){ if (!turn_host.empty()){
......
...@@ -25,7 +25,8 @@ namespace dhtnet { ...@@ -25,7 +25,8 @@ namespace dhtnet {
using Buffer = std::shared_ptr<std::vector<uint8_t>>; using Buffer = std::shared_ptr<std::vector<uint8_t>>;
constexpr size_t BUFFER_SIZE = 64 * 1024; constexpr size_t BUFFER_SIZE = 64 * 1024;
const std::filesystem::path PATH = std::filesystem::path(getenv("HOME")) / ".dhtnet";
std::filesystem::path cachePath();
std::unique_ptr<ConnectionManager::Config> connectionManagerConfig( std::unique_ptr<ConnectionManager::Config> connectionManagerConfig(
dht::crypto::Identity identity, dht::crypto::Identity identity,
......
...@@ -46,8 +46,10 @@ To facilitate SSH connections to a remote device, dnc establishes a DHT network ...@@ -46,8 +46,10 @@ To facilitate SSH connections to a remote device, dnc establishes a DHT network
To initiate, generate a certificate authority and a server certificate: To initiate, generate a certificate authority and a server certificate:
```shell ```shell
sudo dhtnet-crtmgr --setup -o /etc/dhtnet/ sudo dhtnet-crtmgr --setup -o /usr/local/etc/dhtnet/
``` ```
The server will cache some values in `/var/run/dhtnet`. If this must be changed,
you can remove the line `Environment="DHTNET_CACHE_DIR=/var/run/dhtnet"` in `dnc.service.in`.
Then, launch the dnc service: Then, launch the dnc service:
```shell ```shell
systemctl start dnc.service systemctl start dnc.service
......
...@@ -62,9 +62,7 @@ Dnc::Dnc(dht::crypto::Identity identity, ...@@ -62,9 +62,7 @@ Dnc::Dnc(dht::crypto::Identity identity,
const bool anonymous) const bool anonymous)
: logger(dht::log::getStdLogger()) : logger(dht::log::getStdLogger())
, ioContext(std::make_shared<asio::io_context>()), , ioContext(std::make_shared<asio::io_context>()),
iceFactory(std::make_shared<IceTransportFactory>(logger)), iceFactory(std::make_shared<IceTransportFactory>(logger))
certStore(std::make_shared<tls::CertificateStore>(PATH/"certstore", logger)),
trustStore(std::make_shared<tls::TrustStore>(*certStore))
{ {
ioContextRunner = std::thread([context = ioContext, logger = logger] { ioContextRunner = std::thread([context = ioContext, logger = logger] {
try { try {
...@@ -76,6 +74,9 @@ Dnc::Dnc(dht::crypto::Identity identity, ...@@ -76,6 +74,9 @@ Dnc::Dnc(dht::crypto::Identity identity,
} }
}); });
certStore = std::make_shared<tls::CertificateStore>(cachePath()/"certStore", logger);
trustStore = std::make_shared<tls::TrustStore>(*certStore);
auto ca = identity.second->issuer; auto ca = identity.second->issuer;
trustStore->setCertificateStatus(ca->getId().toString(), tls::TrustStore::PermissionStatus::ALLOWED); trustStore->setCertificateStatus(ca->getId().toString(), tls::TrustStore::PermissionStatus::ALLOWED);
......
...@@ -2,41 +2,19 @@ ...@@ -2,41 +2,19 @@
Description=Dnc server Description=Dnc server
Documentation=man:dnc(1) Documentation=man:dnc(1)
After=network.target After=network.target
Wants=network-online.target
Documentation=https://git.jami.net/savoirfairelinux/dhtnet/blob/master/tools/dvpn/README.md
[Service] [Service]
Type=simple Type=exec
User=dnc Environment="DHTNET_CACHE_DIR=/var/run/dhtnet"
Group=dnc
ExecStart=@bindir@/dnc -l -d @sysconfdir@/dhtnet/dnc.yaml -c @sysconfdir@/dhtnet/id/id-server.crt -p @sysconfdir@/dhtnet/id/id-server.pem ExecStart=@bindir@/dnc -l -d @sysconfdir@/dhtnet/dnc.yaml -c @sysconfdir@/dhtnet/id/id-server.crt -p @sysconfdir@/dhtnet/id/id-server.pem
Restart=on-failure Restart=on-failure
RestartSec=2s
LimitNOFILE=65536
DynamicUser=yes
KillMode=process
WorkingDirectory=/tmp
# Hardening
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
LockPersonality=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict ProtectSystem=strict
ReadOnlyDirectories=/ ProtectKernelTunables=yes
ReadWriteDirectories=-/proc/self ProtectKernelModules=yes
ReadWriteDirectories=-/var/run ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 PrivateDevices=yes
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service SystemCallFilter=@system-service
[Install] [Install]
......
...@@ -95,7 +95,7 @@ dhtnet::Dsh::Dsh(dht::crypto::Identity identity, ...@@ -95,7 +95,7 @@ dhtnet::Dsh::Dsh(dht::crypto::Identity identity,
:logger(dht::log::getStdLogger()) :logger(dht::log::getStdLogger())
, ioContext(std::make_shared<asio::io_context>()), , ioContext(std::make_shared<asio::io_context>()),
iceFactory(std::make_shared<IceTransportFactory>(logger)), iceFactory(std::make_shared<IceTransportFactory>(logger)),
certStore(std::make_shared<tls::CertificateStore>(PATH/"certstore", logger)), certStore(std::make_shared<tls::CertificateStore>(cachePath()/"certstore", logger)),
trustStore(std::make_shared<tls::TrustStore>(*certStore)) trustStore(std::make_shared<tls::TrustStore>(*certStore))
{ {
ioContext = std::make_shared<asio::io_context>(); ioContext = std::make_shared<asio::io_context>();
......
...@@ -166,7 +166,7 @@ dhtnet::Dvpn::Dvpn(dht::crypto::Identity identity, ...@@ -166,7 +166,7 @@ dhtnet::Dvpn::Dvpn(dht::crypto::Identity identity,
: logger(dht::log::getStdLogger()) : logger(dht::log::getStdLogger())
, ioContext(std::make_shared<asio::io_context>()), , ioContext(std::make_shared<asio::io_context>()),
iceFactory(std::make_shared<IceTransportFactory>(logger)), iceFactory(std::make_shared<IceTransportFactory>(logger)),
certStore(std::make_shared<tls::CertificateStore>(PATH/"certstore", logger)), certStore(std::make_shared<tls::CertificateStore>(cachePath()/"certstore", logger)),
trustStore(std::make_shared<tls::TrustStore>(*certStore)) trustStore(std::make_shared<tls::TrustStore>(*certStore))
{ {
ioContextRunner = std::thread([context = ioContext, logger = logger] { ioContextRunner = std::thread([context = ioContext, logger = logger] {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment