New daemon architecture
This commit is contained in:
85
dist/INSTALL.md
vendored
Normal file
85
dist/INSTALL.md
vendored
Normal file
@@ -0,0 +1,85 @@
|
||||
# bleh / blehd install notes
|
||||
|
||||
## Recommended model
|
||||
|
||||
- `bleh` is unprivileged.
|
||||
- `blehd` runs as **root** (recommended). It owns the BLE device, and exposes a Unix socket for `bleh` to use.
|
||||
- Access to that socket can be restricted with `--group` (recommended).
|
||||
|
||||
## Build
|
||||
|
||||
```sh
|
||||
make build
|
||||
```
|
||||
|
||||
## Install (system)
|
||||
|
||||
```sh
|
||||
sudo make install PREFIX=/usr/local
|
||||
```
|
||||
|
||||
By default (`SETCAP=auto`), `make install` will apply capabilities to `blehd` when run as root.
|
||||
|
||||
If you plan to run `blehd` as a **root system service** (recommended), you can skip capabilities:
|
||||
|
||||
```sh
|
||||
sudo make install SETCAP=0
|
||||
```
|
||||
|
||||
## Group access (optional)
|
||||
|
||||
If you want group-based access to the socket:
|
||||
|
||||
```sh
|
||||
sudo groupadd -r bleh || true
|
||||
sudo usermod -aG bleh $USER
|
||||
# then re-login
|
||||
```
|
||||
|
||||
Then run blehd with `--group bleh`.
|
||||
|
||||
## systemd service (recommended)
|
||||
|
||||
Install the unit:
|
||||
|
||||
```sh
|
||||
sudo make install-systemd
|
||||
```
|
||||
|
||||
Enable it:
|
||||
|
||||
```sh
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl enable --now blehd.service
|
||||
```
|
||||
|
||||
This will run `blehd` as root, listening on:
|
||||
|
||||
- `/run/bleh/blehd.sock`
|
||||
|
||||
To uninstall:
|
||||
|
||||
```sh
|
||||
sudo make uninstall-systemd
|
||||
```
|
||||
|
||||
## OpenRC service
|
||||
|
||||
Install the init script:
|
||||
|
||||
```sh
|
||||
sudo make install-openrc
|
||||
```
|
||||
|
||||
Enable it:
|
||||
|
||||
```sh
|
||||
sudo rc-update add blehd default
|
||||
sudo rc-service blehd start
|
||||
```
|
||||
|
||||
To uninstall:
|
||||
|
||||
```sh
|
||||
sudo make uninstall-openrc
|
||||
```
|
||||
17
dist/openrc/blehd
vendored
Normal file
17
dist/openrc/blehd
vendored
Normal file
@@ -0,0 +1,17 @@
|
||||
#!/sbin/openrc-run
|
||||
|
||||
name="blehd"
|
||||
description="Bleh MXW01 privileged helper daemon"
|
||||
|
||||
command="/usr/local/bin/blehd"
|
||||
command_args="--socket /run/bleh/blehd.sock --group bleh"
|
||||
command_background=true
|
||||
pidfile="/run/${name}.pid"
|
||||
|
||||
start_pre() {
|
||||
checkpath -d -m 0755 /run/bleh
|
||||
}
|
||||
|
||||
depend() {
|
||||
after bluetooth
|
||||
}
|
||||
27
dist/systemd/blehd-root.service
vendored
Normal file
27
dist/systemd/blehd-root.service
vendored
Normal file
@@ -0,0 +1,27 @@
|
||||
[Unit]
|
||||
Description=Bleh MXW01 helper daemon (root)
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/local/bin/blehd --socket /run/bleh/blehd.sock --group bleh
|
||||
Restart=on-failure
|
||||
RestartSec=1
|
||||
|
||||
RuntimeDirectory=bleh
|
||||
RuntimeDirectoryMode=0755
|
||||
|
||||
# Hardening (still useful even as root)
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
RestrictSUIDSGID=true
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user