added systemd service and env file

2026-02-24 05:48:20 +03:00 · 2026-02-24 05:48:20 +03:00 · 5dd813b12a
commit 5dd813b12a
parent 86fd4efbb7
4 changed files with 73 additions and 0 deletions
--- a/.gear/rules
+++ b/.gear/rules
@ -1,2 +1,4 @@
 tar: @name@ name=@name@-@version@
 tar: .gear/predownloaded-development name=@name@-development-@version@ base=
+copy: @name@.service
+copy: @name@.env.example
--- a/lk-jwt-service.env.example
+++ b/lk-jwt-service.env.example
@ -0,0 +1,11 @@
+# Mandatory
+LIVEKIT_KEY=YOUR_LIVEKIT_KEY
+LIVEKIT_SECRET=YOUR_LIVEKIT_SECRET
+LIVEKIT_URL=wss://example.com
+# Optional
+LIVEKIT_FULL_ACCESS_HOMESERVERS=example.com
+# Bind only to localhost when behind reverse proxy (recommended)
+LIVEKIT_JWT_BIND=127.0.0.1:8080
+
+# Never use in production:
+# LIVEKIT_INSECURE_SKIP_VERIFY_TLS=YES_I_KNOW_WHAT_I_AM_DOING
--- a/lk-jwt-service.service
+++ b/lk-jwt-service.service
@ -0,0 +1,56 @@
+[Unit]
+Description=MatrixRTC Authorization Service (lk-jwt-service)
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/lk-jwt-service
+
+EnvironmentFile=-/etc/lk-jwt-service/lk-jwt-service.env
+
+# Secrets via systemd credentials (preferred)
+#LoadCredential=livekit_key:/etc/lk-jwt-service/livekit_key
+#LoadCredential=livekit_secret:/etc/lk-jwt-service/livekit_secret
+#Environment=LIVEKIT_KEY_FROM_FILE=%d/livekit_key
+#Environment=LIVEKIT_SECRET_FROM_FILE=%d/livekit_secret
+
+# --- Hardening ---
+DynamicUser=yes
+NoNewPrivileges=yes
+
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ProtectHome=yes
+
+ProtectControlGroups=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectClock=yes
+ProtectHostname=yes
+
+ProtectProc=invisible
+ProcSubset=pid
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictSUIDSGID=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+SystemCallArchitectures=native
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+KeyringMode=private
+RemoveIPC=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
+# Reliability
+Restart=on-failure
+RestartSec=2s
+TimeoutStartSec=30s
+TimeoutStopSec=30s
+
+[Install]
+WantedBy=multi-user.target
--- a/lk-jwt-service.spec
+++ b/lk-jwt-service.spec
@ -10,6 +10,8 @@ VCS:            https://github.com/element-hq/lk-jwt-service

 Source:         %name-%version.tar
 Source1:        %name-development-%version.tar
+Source2:        %name.service
+Source3:        %name.env

 BuildRequires:  golang >= 1.23
 Requires:       ca-certificates
@ -36,6 +38,8 @@ go test -mod=vendor ./...

 %install
 install -Dpm0755 %{name} %{buildroot}%{_bindir}/%{name}
+install %SOURCE2 %{buildroot}%{_etcdir}/systemd/system/%name.service
+install %SOURCE3 %{buildroot}%{_etcdir}/%{name}/lk-jwt-service.env

 %files
 %doc README.md LICENSE LICENSE-COMMERCIAL