mollyim/mollysocket
1
0
Fork 0
mirror of https://github.com/mollyim/mollysocket.git synced 2025-05-12 21:30:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Sandbox systemd services and simplify install

Browse source
This commit is contained in:
sim 2025-02-03 14:28:18 +00:00
parent 35e80abd71
commit aaedd5b8af
4 changed files with 48 additions and 109 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

86
INSTALL.md
View file

@ -12,82 +12,21 @@ First of all, you need to install mollysocket on your system.
The service will run with a dedicated account, so create it and switch to that user:
```
sudo useradd mollysocket -m -d /opt/mollysocket
sudo -su mollysocket
cd
```console
# useradd mollysocket -M
```
#### Install the binary
You have 2 solutions to install the binary.
1. Use an already compiled binary: <https://github.com/mollyim/mollysocket/releases/>. To follow the systemd service, and for ease of use, link the executable (replace with the right version of the binary): `ln -s /opt/mollysocket/mollysocket-amd64-1.2.0 /opt/mollysocket/ms`
1. Use an already compiled binary: <https://github.com/mollyim/mollysocket/releases/>. Download it to `/usr/local/bin/` and link the executable: `ln -s /usr/local/bin/{REPLACE_WITH_DOWNLOADED_MS} /usr/local/bin/ms`
2. Use cargo. This method allows you to use cargo to maintain mollysocket up to date. First of all, you need to [install cargo](https://doc.rust-lang.org/cargo/getting-started/installation.html) (you need at least version 1.59). Then, install mollysocket using cargo: `cargo install mollysocket`. *You probably need to install some system packages, like libssl-dev libsqlite3-dev*. To follow the systemd service, and for ease of use, link the executable: `ln -s /opt/mollysocket/.cargo/bin/mollysocket /opt/mollysocket/ms`.
2. Use cargo. This method allows you to use cargo to maintain mollysocket up to date. First of all, you need to [install cargo](https://doc.rust-lang.org/cargo/getting-started/installation.html) (you need at least version 1.59). Then, install mollysocket using cargo: `cargo install mollysocket`. *You probably need to install some system packages, like libssl-dev libsqlite3-dev*. Then copy the compile binary to your system: `cp ~/.cargo/bin/mollysocket /usr/local/bin/ms`.
#### Prepare the config file
## Install systemd services
Download a sample of the config file: `wget -O /opt/mollysocket/prod.toml https://github.com/mollyim/mollysocket/raw/main/config-sample.toml`.
#### Done
Switch back to your usual account: `exit`.
## App configuration
*If you host your own Push server*, then explicitly add it to the allowed endpoints. In `/opt/mollysocket/prod.toml`, edit `allowed_endpoints = ['*', 'https://push.mydomain.tld']` (remove `'*'` if you will use your push server only).
## Install systemd service
Download the [systemd unit file](https://github.com/mollyim/mollysocket/raw/main/mollysocket.service) and place it in the right direction `/etc/systemd/system/`.
### Add a VAPID key
#### Option 1. With systemd-creds (Recommended)
You can use [systemd-creds](https://systemd.io/CREDENTIALS/) to encrypt the vapid key. Run the following command as _root_ to get the systemd-creds parameters:
```console
# sudo -u mollysocket mollysocket vapid gen | systemd-creds encrypt --name=ms_vapid -p - -
SetCredentialEncrypted=ms_vapid: \
k6iUCUh0RJCQyvL8k8q1UyAAAAABAAAADAAAABAAAAC1lFmbWAqWZ8dCCQkAAAAAgAAAA \
AAAAAALACMA0AAAACAAAAAAfgAg9uNpGmj8LL2nHE0ixcycvM3XkpOCaf+9rwGscwmqRJ \
cAEO24kB08FMtd/hfkZBX8PqoHd/yPTzRxJQBoBsvo9VqolKdy9Wkvih0HQnQ6NkTKEdP \
HQ08+x8sv5sr+Mkv4ubp3YT1Jvv7CIPCbNhFtag1n5y9J7bTOKt2SQwBOAAgACwAAABIA \
ID8H3RbsT7rIBH02CIgm/Gv1ukSXO3DMHmVQkDG0wEciABAAII6LvrmL60uEZcp5qnEkx \
SuhUjsDoXrJs0rfSWX4QAx5PwfdFuxPusgE==
```
This will output `SetCredentialEncrypted` you can use in your systemd unit file:
```ini
[Service]
SetCredentialEncrypted=ms_vapid: \
k6iUCUh0RJCQyvL8k8q1UyAAAAABAAAADAAAABAAAAC1lFmbWAqWZ8dCCQkAAAAAgAAAA \
AAAAAALACMA0AAAACAAAAAAfgAg9uNpGmj8LL2nHE0ixcycvM3XkpOCaf+9rwGscwmqRJ \
cAEO24kB08FMtd/hfkZBX8PqoHd/yPTzRxJQBoBsvo9VqolKdy9Wkvih0HQnQ6NkTKEdP \
HQ08+x8sv5sr+Mkv4ubp3YT1Jvv7CIPCbNhFtag1n5y9J7bTOKt2SQwBOAAgACwAAABIA \
ID8H3RbsT7rIBH02CIgm/Gv1ukSXO3DMHmVQkDG0wEciABAAII6LvrmL60uEZcp5qnEkx \
SuhUjsDoXrJs0rfSWX4QAx5PwfdFuxPusgE==
Environment=MOLLY_VAPID_KEY_FILE=%d/ms_vapid
```
#### Option 2. Plaintext
It is also possible to pass the value of the vapid key in plaintext to an environment variable in your unit file. Run the following command as _mollysocket_ user:
```console
$ mollysocket vapid gen
DSqYuWchrB6yIMYJtidvqANeRQic4uWy34afzZRsZnI
```
And use the output of the command in your systemd unit file:
```ini
[Service]
Environment=MOLLY_VAPID_PRIVKEY=DSqYuWchrB6yIMYJtidvqANeRQic4uWy34afzZRsZnI
```
Download the 2 systemd unit files [mollysocket.service](https://github.com/mollyim/mollysocket/raw/main/mollysocket.service) and [mollysocket-vapid.service](https://github.com/mollyim/mollysocket/raw/main/mollysocket-vapid.service) and place them in the right direction `/etc/systemd/system/`.
### Start the service
@ -95,6 +34,11 @@ You should be able to see that service now `systemctl status mollysocket`.
You can enable it `systemctl enable --now mollysocket`, the service is now active (`systemctl status mollysocket`), and will be started on system boot.
## App configuration
*If you host your own Push server*, then explicitly add it to the allowed endpoints. In `/etc/mollysocket/conf.toml`, edit `allowed_endpoints = ['*', 'https://push.mydomain.tld']` (remove `'*'` if you will use your push server only). Then restart the service `systemctl restart mollysocket`.
## (Option A) Proxy server
You will need to proxy everything from `/` to `http://127.0.0.1:8020/` (8020 is the value define in the systemd unit file for `$ROCKET_PORT`, it can be changed if needed).
@ -134,3 +78,11 @@ For instance `sudo -su mollysocket MOLLY_CONF=/opt/mollysocket/prod.toml /opt/mo
## (Optional) More restrictive configuration
Once you have registered Molly (with option A or B), and you will be the only user using this service, you can restrict `allowed_uuids = ['baab32b9-d60b-4c39-9e14-15d8f6e1527e']` and `allowed_endpoints = ['https://push.mydomain.tld/upthisisrandom?up']` in the config file.
## Backup the VAPID privkey
If you wish to backup your VAPID privkey, you can run the following:
```console
# systemd-run -P --wait -p LoadCredentialEncrypted=vapid.key:/etc/mollysocket/vapid.key systemd-creds cat vapid.key
```

33
README.md
View file

@ -76,38 +76,7 @@ The easiest way to pass the VAPID key when using docker compose is to pass it wi
#### With a systemd service
If you use a [systemd service](mollysocket.service) for MollySocket, you may wish to use [systemd-creds](https://systemd.io/CREDENTIALS/) to store securely the VAPID key.
<sup>If you have installed your systemd service in [user mode](https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Unit%20File%20Load%20Path), adds `--user` to systemd-creds commands.</sup>
```console
$ # Service installed in user mode:
$ # mollysocket vapid gen | systemd-creds --user encrypt --name=ms_vapid -p - -
$
# # Service installed in system mode:
# mollysocket vapid gen | systemd-creds encrypt --name=ms_vapid -p - -
SetCredentialEncrypted=ms_vapid: \
k6iUCUh0RJCQyvL8k8q1UyAAAAABAAAADAAAABAAAAC1lFmbWAqWZ8dCCQkAAAAAgAAAA \
AAAAAALACMA0AAAACAAAAAAfgAg9uNpGmj8LL2nHE0ixcycvM3XkpOCaf+9rwGscwmqRJ \
cAEO24kB08FMtd/hfkZBX8PqoHd/yPTzRxJQBoBsvo9VqolKdy9Wkvih0HQnQ6NkTKEdP \
HQ08+x8sv5sr+Mkv4ubp3YT1Jvv7CIPCbNhFtag1n5y9J7bTOKt2SQwBOAAgACwAAABIA \
ID8H3RbsT7rIBH02CIgm/Gv1ukSXO3DMHmVQkDG0wEciABAAII6LvrmL60uEZcp5qnEkx \
SuhUjsDoXrJs0rfSWX4QAx5PwfdFuxPusgE==
```
This will output `SetCredentialEncrypted` you can use in your systemd unit file:
```ini
[Service]
SetCredentialEncrypted=ms_vapid: \
k6iUCUh0RJCQyvL8k8q1UyAAAAABAAAADAAAABAAAAC1lFmbWAqWZ8dCCQkAAAAAgAAAA \
AAAAAALACMA0AAAACAAAAAAfgAg9uNpGmj8LL2nHE0ixcycvM3XkpOCaf+9rwGscwmqRJ \
cAEO24kB08FMtd/hfkZBX8PqoHd/yPTzRxJQBoBsvo9VqolKdy9Wkvih0HQnQ6NkTKEdP \
HQ08+x8sv5sr+Mkv4ubp3YT1Jvv7CIPCbNhFtag1n5y9J7bTOKt2SQwBOAAgACwAAABIA \
ID8H3RbsT7rIBH02CIgm/Gv1ukSXO3DMHmVQkDG0wEciABAAII6LvrmL60uEZcp5qnEkx \
SuhUjsDoXrJs0rfSWX4QAx5PwfdFuxPusgE==
Environment=MOLLY_VAPID_KEY_FILE=%d/ms_vapid
```
If you use a [systemd service](mollysocket.service) for MollySocket, installation steps are listed in <./INSTALL.md>
Alternatively, you can store the VAPID key in cleartext in the systemd unit file:

14
mollysocket-vapid.service Normal file
View file

@ -0,0 +1,14 @@
[Unit]
Description=Generate MollySocket VAPID key
[Service]
Type=oneshot
ExecStart=sh -c '( [ -f $CONFIGURATION_DIRECTORY/conf.toml ] || echo "db = \'$STATE_DIRECTORY/ms.db\'" > $CONFIGURATION_DIRECTORY/conf.toml ); ( [ -f $CONFIGURATION_DIRECTORY/vapid.key ] || ( ms vapid gen | systemd-creds encrypt - $CONFIGURATION_DIRECTORY/vapid.key ) )'
RemainAfterExit=true
ConfigurationDirectory=mollysocket
StateDirectory=mollysocket
ProtectHome=true
ProtectSystem=true

24
mollysocket.service
View file

@ -1,26 +1,30 @@
[Unit]
Description=MollySocket
After=network-online.target
After=network-online.target mollysocket-vapid.service
Wants=mollysocket-vapid.service
[Service]
Type=simple
Environment="RUST_LOG=info"
Environment="MOLLY_CONF=/opt/mollysocket/prod.toml"
WorkingDirectory=/opt/mollysocket/
Environment="MOLLY_CONF=/etc/mollysocket/conf.toml"
# TODO: set VAPID key
# Option 1, with systemd-creds
# SetCredentialEncrypted=[...] output of `mollysocket vapid gen | systemd-creds encrypt --name=ms_vapid -p - -`
# Environment=MOLLY_VAPID_KEY_FILE=%d/ms_vapid
#
# Option 2, key stored in plaintext
# /etc/mollysocket/vapid.key is generated by mollysocket-vapid.service,
# you can also store the key in plaintext:
# by replacing the 2 following lines with
# Environment=MOLLY_VAPID_PRIVKEY=[...] output of `mollysocket vapid gen`
LoadCredentialEncrypted=vapid.key:/etc/mollysocket/vapid.key
Environment=MOLLY_VAPID_KEY_FILE=%d/vapid.key
User=mollysocket
Group=mollysocket
ConfigurationDirectory=mollysocket::ro
StateDirectory=mollysocket
UMask=0007
ProtectHome=true
ProtectSystem=true
ExecStart=/opt/mollysocket/ms server
ExecStart=ms server
KillSignal=SIGINT
Restart=on-failure