From 099cdaddbc714cb1f63f9ccb2df335893883664d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ferdinand=20M=C3=BCtsch?= <ferdinand@muetsch.io>
Date: Wed, 22 Jun 2022 00:18:05 +0200
Subject: [PATCH] chore: add example systemd service unit file [ci skip]

---
 README.md                  |  2 ++
 Caddyfile => etc/Caddyfile |  0
 etc/wakapi.service         | 53 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 55 insertions(+)
 rename Caddyfile => etc/Caddyfile (100%)
 create mode 100644 etc/wakapi.service

diff --git a/README.md b/README.md
index fd7ecd5..b9b3cfc 100644
--- a/README.md
+++ b/README.md
@@ -113,6 +113,8 @@ $ ./wakapi
 
 **Note:** Check the comments in `config.yml` for best practices regarding security configuration and more.
 
+💡 When running Wakapi standalone (without Docker), it is recommended to run it as a [SystemD service](etc/wakapi.service). 
+
 ### 💻 Client setup
 
 Wakapi relies on the open-source [WakaTime](https://github.com/wakatime/wakatime) client tools. In order to collect statistics for Wakapi, you need to set them up.
diff --git a/Caddyfile b/etc/Caddyfile
similarity index 100%
rename from Caddyfile
rename to etc/Caddyfile
diff --git a/etc/wakapi.service b/etc/wakapi.service
new file mode 100644
index 0000000..b2c8f2c
--- /dev/null
+++ b/etc/wakapi.service
@@ -0,0 +1,53 @@
+[Unit]
+Description=Wakapi
+StartLimitIntervalSec=400
+StartLimitBurst=3
+
+# Optional, in case you're running MySQL / Postgres with Systemd, too
+Requires=mysql.service
+After=mysql.service
+
+[Service]
+Type=simple
+
+# Assuming Wakapi executable is under /opt/wakapi and config file at /etc
+# Feel free to change this
+WorkingDirectory=/opt/wakapi
+ExecStart=/opt/wakapi/wakapi -config /etc/wakapi.yml
+
+# Environment variables, see README for more
+Environment=WAKAPI_DB_HOST=localhost
+Environment=WAKAPI_DB_USER=wakapi
+Environment=WAKAPI_DB_NAME=wakapi
+Environment=WAKAPI_DB_PASSWORD=secretpassword
+Environment=WAKAPI_PASSWORD_SALT=somerandomstring
+
+# TODO: Use Systemd's credentials management (https://systemd.io/CREDENTIALS/) introduced in v247 (%d syntax in v250) once more established
+
+# sudo groupadd wakapi
+# sudo useradd -g wakapi wakapi
+User=wakapi
+Group=wakapi
+
+Restart=on-failure
+RestartSec=90
+
+# Security hardening
+PrivateTmp=true
+PrivateUsers=true
+NoNewPrivileges=true
+ProtectSystem=full
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+PrivateDevices=true
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+ProtectClock=true
+RestrictSUIDSGID=true
+ProtectHostname=true
+ProtectProc=invisible
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file