Fix #248 - Make a Debian package

snow-scanner/Cargo.toml

@@ -76,3 +76,31 @@ cidr = "0.3.0"
 serde = { version = "1.0.210", features = ["derive"] }
 serde_json = "1.0.128"
 weighted-rs = "0.1.3"
+
+[package.metadata.deb]
+maintainer = "William Desportes <williamdes@wdes.fr>"
+copyright = "2022-2025, William Desportes <williamdes@wdes.fr>"
+license-file = ["../LICENSE"]
+extended-description = """\
+Find hidden IPs in the internet snow."""
+depends = "$auto"
+section = "rust"
+priority = "optional"
+assets = [
+    { source = "README.md", dest = "usr/share/doc/snow-scanner/README", mode = "644"},
+    { source = "../data/collections/*/*", dest = "usr/share/snow-scanner/data/collections", mode = "644"},
+    { source = "../data/scanners/*", dest = "usr/share/snow-scanner/data/scanners", mode = "644"},
+    { source = "target/release/snow-scanner", dest = "usr/bin/snow-scanner", mode = "777"},
+    { source = "target/release/snow-scanner-worker", dest = "usr/bin/snow-scanner-worker", mode = "777"},
+]
+
+maintainer-scripts = "debian/"
+systemd-units = [
+    { unit-name = "snow-scanner", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true },
+    { unit-name = "snow-scanner-worker", enable = true, start = false, restart-after-upgrade = true, stop-on-upgrade = true }
+]
+
+conf-files = [
+    "/etc/snow-scanner/.env",
+    "/etc/snow-scanner/worker.env"
+]

snow-scanner/debian/snow-scanner-worker.service

@@ -0,0 +1,77 @@
+[Unit]
+Description=Snow scanner worker
+After=network.target
+
+[Service]
+Type=simple
+User=snow-scanner
+Group=snow-scanner
+EnvironmentFile=/etc/snow-scanner/worker.env
+
+RemoveIPC=true
+ProtectHome=true
+NoNewPrivileges=true
+
+PrivateTmp=false
+ProtectSystem=strict
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+MemoryDenyWriteExecute=true
+LockPersonality=true
+# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
+# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
+# This is useful to turn off physical device access by the executed process
+PrivateDevices=true
+# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
+DevicePolicy=closed
+ProtectProc=invisible
+ProtectClock=true
+ProcSubset=pid
+ProtectHostname=true
+ProtectKernelLogs=true
+# This will fail icmp pingers if set to true
+PrivateUsers=false
+
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
+SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
+SystemCallFilter=~@pkey @ipc
+
+# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
+SystemCallErrorNumber=EPERM
+
+# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
+# Run: systemd-analyze security snow-scanner
+# Add this one for ports < 1024
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#CapabilityBoundingSet=CAP_NET_RAW
+
+SystemCallArchitectures=native
+
+# Allow icmp
+#AmbientCapabilities=CAP_NET_RAW
+
+# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
+# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
+# This is useful to turn off physical device access by the executed process
+PrivateDevices=true
+# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
+DevicePolicy=closed
+
+# No devices (except clock: ProtectClock)
+# See: https://github.com/systemd/systemd/issues/23185
+DeviceAllow=
+
+BindReadOnlyPaths=/usr/share/snow-scanner
+
+ExecStart=/usr/bin/snow-scanner-worker
+Restart=on-failure
+
+LimitNOFILE=infinity
+
+[Install]
+WantedBy=multi-user.target

snow-scanner/debian/snow-scanner.service

@@ -0,0 +1,77 @@
+[Unit]
+Description=Snow scanner server
+After=network.target
+
+[Service]
+Type=simple
+User=snow-scanner
+Group=snow-scanner
+EnvironmentFile=/etc/snow-scanner/.env
+
+RemoveIPC=true
+ProtectHome=true
+NoNewPrivileges=true
+
+PrivateTmp=false
+ProtectSystem=strict
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+MemoryDenyWriteExecute=true
+LockPersonality=true
+# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
+# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
+# This is useful to turn off physical device access by the executed process
+PrivateDevices=true
+# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
+DevicePolicy=closed
+ProtectProc=invisible
+ProtectClock=true
+ProcSubset=pid
+ProtectHostname=true
+ProtectKernelLogs=true
+# This will fail icmp pingers if set to true
+PrivateUsers=false
+
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
+SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
+SystemCallFilter=~@pkey @ipc
+
+# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
+SystemCallErrorNumber=EPERM
+
+# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
+# Run: systemd-analyze security snow-scanner
+# Add this one for ports < 1024
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#CapabilityBoundingSet=CAP_NET_RAW
+
+SystemCallArchitectures=native
+
+# Allow icmp
+#AmbientCapabilities=CAP_NET_RAW
+
+# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
+# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
+# This is useful to turn off physical device access by the executed process
+PrivateDevices=true
+# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
+DevicePolicy=closed
+
+# No devices (except clock: ProtectClock)
+# See: https://github.com/systemd/systemd/issues/23185
+DeviceAllow=
+
+BindReadOnlyPaths=/usr/share/snow-scanner
+
+ExecStart=/usr/bin/snow-scanner
+Restart=on-failure
+
+LimitNOFILE=infinity
+
+[Install]
+WantedBy=multi-user.target