From 6ac8ffd36308c829c890a041d87fbc54bcf74229 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 10 Feb 2025 13:28:40 +0100
Subject: [PATCH] dnsdist: Install binary, man page and systemd unit files with
 meson

---
 pdns/dnsdistdist/dnsdist.service.meson.in | 61 ++++++++++++++
 pdns/dnsdistdist/meson.build              | 97 +++++++++++++++++++++++
 2 files changed, 158 insertions(+)
 create mode 100644 pdns/dnsdistdist/dnsdist.service.meson.in

diff --git a/pdns/dnsdistdist/dnsdist.service.meson.in b/pdns/dnsdistdist/dnsdist.service.meson.in
new file mode 100644
index 000000000000..41501cc4cd52
--- /dev/null
+++ b/pdns/dnsdistdist/dnsdist.service.meson.in
@@ -0,0 +1,61 @@
+[Unit]
+Description=@Description@
+Documentation=man:dnsdist(1)
+Documentation=https://dnsdist.org
+Wants=network-online.target
+After=network-online.target time-sync.target
+
+[Service]
+ExecStartPre=@BinDir@/dnsdist --check-config
+# Note: when editing the ExecStart command, keep --supervised and --disable-syslog
+ExecStart=@BinDir@/dnsdist --supervised --disable-syslog
+User=@ServiceUser@
+Group=@ServiceGroup@
+SyslogIdentifier=dnsdist
+Type=notify
+Restart=on-failure
+RestartSec=2
+TimeoutStopSec=5
+StartLimitInterval=0
+
+# Tuning
+TasksMax=8192
+LimitNOFILE=16384
+# Note: increasing the amount of lockable memory is required to use eBPF support
+# LimitMEMLOCK=infinity
+
+# Sandboxing
+# Note: adding CAP_SYS_ADMIN is required to use eBPF support,
+# and CAP_NET_RAW to be able to set the source interface to contact a backend
+# If an AppArmor policy is in use, it might have to be updated to allow dnsdist to keep the
+# capability: adding a 'capability sys_admin,' line to the policy is usually enough.
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+@LockPersonality@
+NoNewPrivileges=true
+@PrivateDevices@
+@PrivateTmp@
+# Setting PrivateUsers=true prevents us from opening our sockets
+@ProtectClock@
+@ProtectControlGroups@
+@ProtectHome@
+@ProtectHostname@
+@ProtectKernelLogs@
+@ProtectKernelModules@
+@ProtectKernelTunables@
+@ProtectSystem@
+@RestrictAddressFamilies@
+@RestrictNamespaces@
+@RestrictRealtime@
+@RestrictSUIDSGID@
+@SystemCallArchitectures@
+@SystemCallFilter@
+@ProtectProc@
+@PrivateIPC@
+@RemoveIPC@
+DevicePolicy=closed
+# Not enabled by default because it does not play well with LuaJIT
+@MemoryDenyWriteExecute@
+
+[Install]
+WantedBy=multi-user.target
diff --git a/pdns/dnsdistdist/meson.build b/pdns/dnsdistdist/meson.build
index 4baa479869d9..2227f8a66736 100644
--- a/pdns/dnsdistdist/meson.build
+++ b/pdns/dnsdistdist/meson.build
@@ -416,6 +416,7 @@ tools = {
       dep_json11,
       dep_systemd,
     ],
+    'install': true,
   },
 }
 
@@ -523,6 +524,7 @@ foreach tool, info: tools
   files_extra = 'files-extra' in info ? info['files-extra'] : []
   deps_extra = 'deps-extra' in info ? info['deps-extra'] : []
   link_args = 'link-args' in info ? info['link-args'] : []
+  install = 'install' in info ? info['install'] : false
 
   set_variable(
     var_name,
@@ -537,12 +539,14 @@ foreach tool, info: tools
         libdnsdist_common,
         deps_extra,
       ],
+      install: install,
     )
   )
 
   if 'manpages' in info
     foreach man_page: info['manpages']
       man_pages += docs_dir / 'manpages' / (man_page + '.rst')
+      install_man(man_page)
     endforeach
   endif
 endforeach
@@ -572,3 +576,96 @@ if python.found()
     ] + man_pages,
   )
 endif
+
+if dep_systemd_prog.found()
+
+  systemd_system_unit_dir = dep_systemd_prog.get_variable(
+    'systemdsystemunitdir',
+  )
+
+  systemd_service_conf = configuration_data()
+  systemd_service_conf.set('Description', 'DNS Loadbalancer')
+  systemd_service_conf.set('BinDir', get_option('prefix') / get_option('bindir'))
+  systemd_service_user = get_option('systemd-service-user')
+  systemd_service_group = get_option('systemd-service-group')
+  systemd_service_conf.set('ServiceUser', systemd_service_user)
+  systemd_service_conf.set('ServiceGroup', systemd_service_group)
+  summary('Service User', systemd_service_user, section: 'Systemd')
+  summary('Service Group', systemd_service_group, section: 'Systemd')
+
+  systemd_service_conf.set(
+    'ProtectSystem', have_systemd_protect_system ? 'ProtectSystem=full' : '',
+  )
+  systemd_service_conf.set(
+    'SystemCallArchitectures',
+    have_systemd_system_call_architectures ? 'SystemCallArchitectures=native' : '',
+  )
+  systemd_system_call_filter = '~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete'
+  systemd_service_conf.set(
+    'SystemCallFilter',
+    have_systemd_system_call_filter ? 'SystemCallFilter=' + systemd_system_call_filter : '',
+  )
+  systemd_service_conf.set(
+    'ProtectProc',
+    have_systemd_protect_proc ? 'ProtectProc=invisible' : '',
+  )
+
+  systemd_features = {
+    'LockPersonality': have_systemd_lock_personality,
+    'PrivateDevices': have_systemd_private_devices,
+    'PrivateTmp': have_systemd_private_tmp,
+    'PrivateUsers': false, # Setting it to true prevents us from opening our sockets.
+    'ProtectClock': have_systemd_protect_clock,
+    'ProtectControlGroups': have_systemd_protect_control_groups,
+    'ProtectHome': have_systemd_protect_home,
+    'ProtectHostname': have_systemd_protect_hostname,
+    'ProtectKernelLogs': have_systemd_protect_kernel_logs,
+    'ProtectKernelModules': have_systemd_protect_kernel_modules,
+    'ProtectKernelTunables': have_systemd_protect_kernel_tunables,
+    'RestrictNamespaces': have_systemd_restrict_namespaces,
+    'RestrictRealtime': have_systemd_restrict_realtime,
+    'RestrictSUIDSGID': have_systemd_restrict_suidsgid,
+    'PrivateIPC': have_systemd_private_ipc,
+    'RemoveIPC': have_systemd_remove_ipc,
+  }
+
+  foreach feature, enable_it: systemd_features
+    systemd_service_conf.set(feature, enable_it ? feature + '=true': '')
+  endforeach
+
+  # Disabled, it breaks LuaJIT.
+  systemd_service_conf.set(
+    'MemoryDenyWriteExecute',
+    have_systemd_memory_deny_write_execute ? 'MemoryDenyWriteExecute=false' : '',
+  )
+  systemd_service_conf.set(
+    'RestrictAddressFamilies',
+    have_systemd_restrict_address_families ? 'RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6' : '',
+  )
+
+  dnsdist_service_conf_general = configuration_data()
+  dnsdist_service_conf_general.set('Description', 'DNS Loadbalancer')
+  dnsdist_service_conf_general.merge_from(systemd_service_conf)
+  dnsdist_service_conf_general.set('SyslogIdentifier', 'dnsdist')
+
+  configure_file(
+    input: 'dnsdist.service.meson.in',
+    output: 'dnsdist.service',
+    configuration: dnsdist_service_conf_general,
+    install: true,
+    install_dir: systemd_system_unit_dir,
+  )
+
+  dnsdist_service_conf_instance = configuration_data()
+  dnsdist_service_conf_instance.merge_from(systemd_service_conf)
+  dnsdist_service_conf_instance.set('Description', 'DNS Loadbalancer %i')
+  dnsdist_service_conf_instance.set('SyslogIdentifier', 'dnsdist-%i')
+
+  configure_file(
+    input: 'dnsdist.service.meson.in',
+    output: 'dnsdist@.service',
+    configuration: dnsdist_service_conf_instance,
+    install: true,
+    install_dir: systemd_system_unit_dir,
+  )
+endif