Fix #248 - Make a Debian package
This commit is contained in:
@ -76,3 +76,31 @@ cidr = "0.3.0"
|
||||
serde = { version = "1.0.210", features = ["derive"] }
|
||||
serde_json = "1.0.128"
|
||||
weighted-rs = "0.1.3"
|
||||
|
||||
[package.metadata.deb]
|
||||
maintainer = "William Desportes <williamdes@wdes.fr>"
|
||||
copyright = "2022-2025, William Desportes <williamdes@wdes.fr>"
|
||||
license-file = ["../LICENSE"]
|
||||
extended-description = """\
|
||||
Find hidden IPs in the internet snow."""
|
||||
depends = "$auto"
|
||||
section = "rust"
|
||||
priority = "optional"
|
||||
assets = [
|
||||
{ source = "README.md", dest = "usr/share/doc/snow-scanner/README", mode = "644"},
|
||||
{ source = "../data/collections/*/*", dest = "usr/share/snow-scanner/data/collections", mode = "644"},
|
||||
{ source = "../data/scanners/*", dest = "usr/share/snow-scanner/data/scanners", mode = "644"},
|
||||
{ source = "target/release/snow-scanner", dest = "usr/bin/snow-scanner", mode = "777"},
|
||||
{ source = "target/release/snow-scanner-worker", dest = "usr/bin/snow-scanner-worker", mode = "777"},
|
||||
]
|
||||
|
||||
maintainer-scripts = "debian/"
|
||||
systemd-units = [
|
||||
{ unit-name = "snow-scanner", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true },
|
||||
{ unit-name = "snow-scanner-worker", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true }
|
||||
]
|
||||
|
||||
conf-files = [
|
||||
"/etc/snow-scanner/.env",
|
||||
"/etc/snow-scanner/worker.env"
|
||||
]
|
||||
|
||||
77
snow-scanner/debian/snow-scanner-worker.service
Normal file
77
snow-scanner/debian/snow-scanner-worker.service
Normal file
@ -0,0 +1,77 @@
|
||||
[Unit]
|
||||
Description=Snow scanner worker
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=snow-scanner
|
||||
Group=snow-scanner
|
||||
EnvironmentFile=/etc/snow-scanner/worker.env
|
||||
|
||||
RemoveIPC=true
|
||||
ProtectHome=true
|
||||
NoNewPrivileges=true
|
||||
|
||||
PrivateTmp=false
|
||||
ProtectSystem=strict
|
||||
ProtectControlGroups=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
MemoryDenyWriteExecute=true
|
||||
LockPersonality=true
|
||||
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||
# This is useful to turn off physical device access by the executed process
|
||||
PrivateDevices=true
|
||||
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||
DevicePolicy=closed
|
||||
ProtectProc=invisible
|
||||
ProtectClock=true
|
||||
ProcSubset=pid
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
# This will fail icmp pingers if set to true
|
||||
PrivateUsers=false
|
||||
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
|
||||
SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
|
||||
SystemCallFilter=~@pkey @ipc
|
||||
|
||||
# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
|
||||
SystemCallErrorNumber=EPERM
|
||||
|
||||
# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
|
||||
# Run: systemd-analyze security snow-scanner
|
||||
# Add this one for ports < 1024
|
||||
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
#CapabilityBoundingSet=CAP_NET_RAW
|
||||
|
||||
SystemCallArchitectures=native
|
||||
|
||||
# Allow icmp
|
||||
#AmbientCapabilities=CAP_NET_RAW
|
||||
|
||||
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||
# This is useful to turn off physical device access by the executed process
|
||||
PrivateDevices=true
|
||||
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||
DevicePolicy=closed
|
||||
|
||||
# No devices (except clock: ProtectClock)
|
||||
# See: https://github.com/systemd/systemd/issues/23185
|
||||
DeviceAllow=
|
||||
|
||||
BindReadOnlyPaths=/usr/share/snow-scanner
|
||||
|
||||
ExecStart=/usr/bin/snow-scanner-worker
|
||||
Restart=on-failure
|
||||
|
||||
LimitNOFILE=infinity
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
77
snow-scanner/debian/snow-scanner.service
Normal file
77
snow-scanner/debian/snow-scanner.service
Normal file
@ -0,0 +1,77 @@
|
||||
[Unit]
|
||||
Description=Snow scanner server
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=snow-scanner
|
||||
Group=snow-scanner
|
||||
EnvironmentFile=/etc/snow-scanner/.env
|
||||
|
||||
RemoveIPC=true
|
||||
ProtectHome=true
|
||||
NoNewPrivileges=true
|
||||
|
||||
PrivateTmp=false
|
||||
ProtectSystem=strict
|
||||
ProtectControlGroups=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
MemoryDenyWriteExecute=true
|
||||
LockPersonality=true
|
||||
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||
# This is useful to turn off physical device access by the executed process
|
||||
PrivateDevices=true
|
||||
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||
DevicePolicy=closed
|
||||
ProtectProc=invisible
|
||||
ProtectClock=true
|
||||
ProcSubset=pid
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
# This will fail icmp pingers if set to true
|
||||
PrivateUsers=false
|
||||
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
|
||||
SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
|
||||
SystemCallFilter=~@pkey @ipc
|
||||
|
||||
# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
|
||||
SystemCallErrorNumber=EPERM
|
||||
|
||||
# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
|
||||
# Run: systemd-analyze security snow-scanner
|
||||
# Add this one for ports < 1024
|
||||
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
#CapabilityBoundingSet=CAP_NET_RAW
|
||||
|
||||
SystemCallArchitectures=native
|
||||
|
||||
# Allow icmp
|
||||
#AmbientCapabilities=CAP_NET_RAW
|
||||
|
||||
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||
# This is useful to turn off physical device access by the executed process
|
||||
PrivateDevices=true
|
||||
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||
DevicePolicy=closed
|
||||
|
||||
# No devices (except clock: ProtectClock)
|
||||
# See: https://github.com/systemd/systemd/issues/23185
|
||||
DeviceAllow=
|
||||
|
||||
BindReadOnlyPaths=/usr/share/snow-scanner
|
||||
|
||||
ExecStart=/usr/bin/snow-scanner
|
||||
Restart=on-failure
|
||||
|
||||
LimitNOFILE=infinity
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user