From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 22 Dec 2025 12:59:56 +0000 (+0100)
Subject: auth: Install systemd unit files when building with meson
X-Git-Tag: rec-5.4.0-beta1~76^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37f663ed7905b9e7c411c4135d8f11e67bb43805;p=thirdparty%2Fpdns.git

auth: Install systemd unit files when building with meson

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
---

diff --git a/meson.build b/meson.build
index a571fb2ca1..74f308bf56 100644
--- a/meson.build
+++ b/meson.build
@@ -160,6 +160,9 @@ deps = [
 ]
 
 if dep_systemd_prog.found()
+  systemd_system_unit_dir = dep_systemd_prog.get_variable(
+    'systemdsystemunitdir',
+  )
   systemd_service_conf = configuration_data()
   systemd_service_conf.set('BinDir', get_option('prefix') / get_option('bindir'))
   systemd_service_conf.set('StaticBinDir', get_option('prefix') / get_option('sbindir'))
@@ -231,13 +234,15 @@ if dep_systemd_prog.found()
   auth_service_conf_general.set('Description', 'PowerDNS Authoritative Server')
   auth_service_conf_general.set('ConfigName', '')
   auth_service_conf_general.set('SocketDir', enable_socket_dir ? '--socket-dir=%t/pdns' : '')
-  auth_service_conf_general.set('SyslogIdentifier', 'pdns')
+  auth_service_conf_general.set('SyslogIdentifier', 'pdns_server')
   auth_service_conf_general.set('RuntimeDirectory', 'pdns')
 
   configure_file(
-    input: 'auth' / 'systemd' / 'pdns.service.in',
+    input: 'pdns' / 'pdns.service.meson.in',
     output: 'pdns.service',
     configuration: auth_service_conf_general,
+    install: true,
+    install_dir: systemd_system_unit_dir,
   )
 
   auth_service_conf_instance = configuration_data()
@@ -249,9 +254,11 @@ if dep_systemd_prog.found()
   auth_service_conf_instance.set('RuntimeDirectory', have_systemd_percent_t ? 'pdns-%i' : 'pdns')
 
   configure_file(
-    input: 'auth' / 'systemd' / 'pdns.service.in',
+    input: 'pdns' / 'pdns.service.meson.in',
     output: 'pdns@.service',
     configuration: auth_service_conf_instance,
+    install: true,
+    install_dir: systemd_system_unit_dir,
   )
 
   if get_option('tools-ixfrdist')
@@ -272,9 +279,11 @@ if dep_systemd_prog.found()
     ixfrdist_service_conf_general.set('Config', '')
 
     configure_file(
-      input: 'auth' / 'systemd' / 'ixfrdist.service.in',
+      input: 'pdns' / 'ixfrdist.service.meson.in',
       output: 'ixfrdist.service',
       configuration: ixfrdist_service_conf_general,
+      install: true,
+      install_dir: systemd_system_unit_dir,
     )
 
     ixfrdist_service_conf_instance = configuration_data()
@@ -283,9 +292,11 @@ if dep_systemd_prog.found()
     ixfrdist_service_conf_instance.set('Config', '--config=' + get_option('sysconfdir') + '/ixfrdist-%i.yml')
 
     configure_file(
-      input: 'auth' / 'systemd' / 'ixfrdist.service.in',
+      input: 'pdns' / 'ixfrdist.service.meson.in',
       output: 'ixfrdist@.service',
       configuration: ixfrdist_service_conf_instance,
+      install: true,
+      install_dir: systemd_system_unit_dir,
     )
   endif
 endif
diff --git a/auth/systemd/ixfrdist.service.in b/pdns/ixfrdist.service.meson.in
similarity index 100%
rename from auth/systemd/ixfrdist.service.in
rename to pdns/ixfrdist.service.meson.in
index 556be4275d..aa88dd17f2 100644
--- a/auth/systemd/ixfrdist.service.in
+++ b/pdns/ixfrdist.service.meson.in
@@ -15,9 +15,8 @@ StartLimitInterval=0
 
 # Sandboxing
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
-NoNewPrivileges=true
-DevicePolicy=closed
 @LockPersonality@
+NoNewPrivileges=true
 @PrivateDevices@
 @PrivateTmp@
 @PrivateUsers@
@@ -38,6 +37,7 @@ DevicePolicy=closed
 @ProtectProc@
 @PrivateIPC@
 @RemoveIPC@
+DevicePolicy=closed
 @MemoryDenyWriteExecute@
 
 [Install]
diff --git a/auth/systemd/pdns.service.in b/pdns/pdns.service.meson.in
similarity index 75%
rename from auth/systemd/pdns.service.in
rename to pdns/pdns.service.meson.in
index eaad6556c4..6ad0981ddf 100644
--- a/auth/systemd/pdns.service.in
+++ b/pdns/pdns.service.meson.in
@@ -1,7 +1,6 @@
 [Unit]
 Description=@Description@
-Documentation=man:pdns_server(1)
-Documentation=man:pdns_control(1)
+Documentation=man:pdns_server(1) man:pdns_control(1)
 Documentation=https://doc.powerdns.com
 Wants=network-online.target
 After=network-online.target mysql.service mysqld.service postgresql.service slapd.service mariadb.service time-sync.target
@@ -20,12 +19,11 @@ RuntimeDirectory=@RuntimeDirectory@
 # Sandboxing
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
 AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
-NoNewPrivileges=true
-DevicePolicy=closed
 @LockPersonality@
+NoNewPrivileges=true
 @PrivateDevices@
 @PrivateTmp@
-@PrivateUsers@
+# Setting PrivateUsers=true prevents us from opening our sockets
 @ProtectClock@
 @ProtectControlGroups@
 @ProtectHome@
@@ -33,6 +31,8 @@ DevicePolicy=closed
 @ProtectKernelLogs@
 @ProtectKernelModules@
 @ProtectKernelTunables@
+# ProtectSystem=full will disallow write access to /etc and /usr, possibly
+# not being able to write slaved-zones into sqlite3 or zonefiles.
 @ProtectSystem@
 @RestrictAddressFamilies@
 @RestrictNamespaces@
@@ -43,7 +43,9 @@ DevicePolicy=closed
 @ProtectProc@
 @PrivateIPC@
 @RemoveIPC@
-@MemoryDenyWriteExecute@
+DevicePolicy=closed
+# Not enabled by default because it does not play well with LuaJIT
+# MemoryDenyWriteExecute=true
 
 [Install]
 WantedBy=multi-user.target