rarpd: integrate systemd service file with build-system

In same go make service unit file to indicate which interface rarpd ought to
listen.  The rarpd should not to go background, that helps systemd to know
what is going on with the process.  And while one it lets harden rarpd unit
file to drop all unnecessary system access.

Signed-off-by: Sami Kerola <kerolasa@iki.fi>

4 files changed, 47 insertions, 14 deletions

diff --git a/meson.build b/meson.build
index 7dcf65d..2943fb9 100644
--- a/meson.build
+++ b/meson.build
@@ -90,6 +90,12 @@ elif opt == 'none'
 	conf.set('PING6_NONCE_MEMORY', 1, description : 'If set RFC6744 random does not use any CRYPTO lib.')
 endif
 
+systemd = dependency('systemd', required : false)
+systemdunitdir = get_option('systemdunitdir')
+if systemdunitdir == '' and systemd.found()
+	systemdunitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
+endif
+
 build_arping = get_option('BUILD_ARPING')
 build_clockdiff = get_option('BUILD_CLOCKDIFF')
 build_ping = get_option('BUILD_PING')
@@ -218,7 +224,18 @@ endif
 
 if build_rarpd == true
 	executable('rarpd', ['rarpd.c', git_version_h],
+		install_dir: 'sbin',
 		install: true)
+	if systemd.found()
+		subs = configuration_data()
+		subs.set('sbindir', join_paths(get_option('prefix'), get_option('sbindir')))
+		unit_file = configure_file(
+			input: 'systemd/rarpd.service.in',
+			output: 'rarpd@.service',
+			configuration: subs
+		)
+		install_data(unit_file, install_dir: systemdunitdir)
+	endif
 endif
 
 if build_ninfod == true
diff --git a/meson_options.txt b/meson_options.txt
index 7860cdb..c825156 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -48,3 +48,6 @@ option('ARPING_DEFAULT_DEVICE', type : 'string', value : '',
 
 option('USE_SYSFS', type : 'boolean', value : true,
 	description : 'Use /sys file system (arping)')
+
+option('systemdunitdir', type: 'string', value: '',
+	description: 'Directory for systemd units')
diff --git a/rarpd.service b/rarpd.service
deleted file mode 100644
index 137710e..0000000
--- a/rarpd.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Reverse Address Resolution Protocol Requests Server
-Requires=network.target
-After=syslog.target network.target
-
-[Service]
-Type=forking
-EnvironmentFile=-/etc/sysconfig/rarpd
-ExecStart=/usr/sbin/rarpd $OPTIONS $INTERFACE
-StandardError=syslog
-
-[Install]
-WantedBy=multi-user.target
-
diff --git a/systemd/rarpd.service.in b/systemd/rarpd.service.in
new file mode 100644
index 0000000..d161785
--- /dev/null
+++ b/systemd/rarpd.service.in
@@ -0,0 +1,27 @@
+[Unit]
+Description=Reverse Address Resolution Protocol Requests Server (%I)
+Documentation=man:rarpd(8)
+Requires=network.target
+After=network.target
+
+[Service]
+EnvironmentFile=-/etc/sysconfig/rarpd
+ExecStart=@sbindir@/rarpd -d $OPTIONS %i
+
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateUsers=yes
+ProtectSystem=strict
+ProtectHome=yes
+ProtectControlGroups=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+SystemCallArchitectures=native
+LockPersonality=yes
+NoNewPrivileges=yes
+
+[Install]
+WantedBy=multi-user.target