add buffyboard systemd service

buffyboard/buffyboard.service.in

@@ -0,0 +1,38 @@
+[Unit]
+Documentation=https://gitlab.postmarketos.org/postmarketOS/buffybox
+
+[Service]
+ExecStart=@bindir@/buffyboard
+Restart=on-failure
+
+# Allow access to input devices, framebuffer, tty
+DevicePolicy=closed
+DeviceAllow=/dev/uinput rw
+DeviceAllow=char-fb rw
+DeviceAllow=char-input rw
+DeviceAllow=char-tty rw
+# udev requires some limited networking
+RestrictAddressFamilies=AF_NETLINK
+
+# Hardening
+CapabilityBoundingSet=
+NoNewPrivileges=true
+RestrictSUIDSGID=true
+PrivateMounts=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RemoveIPC=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+SystemCallFilter=~@resources

buffyboard/meson.build

@@ -24,3 +24,20 @@ executable('buffyboard',
 
 install_data('buffyboard.conf', install_dir: get_option('sysconfdir'))
 
+systemd = dependency('systemd', required: get_option('systemd-buffyboard-service'))
+if systemd.found()
+    system_unit_dir = systemd.get_variable(
+        pkgconfig: 'systemd_system_unit_dir',
+        pkgconfig_define: ['prefix', get_option('prefix')],
+    )
+
+    configure_file(
+      input : 'buffyboard.service.in',
+      output : 'buffyboard.service',
+      install : true,
+      install_dir : system_unit_dir,
+      configuration : {
+        'bindir' : get_option('prefix') / get_option('bindir'),
+      },
+    )
+endif