meta: provide systemd template files

Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: I2ed3bcfa3e0f58685a883a301c898ee86a6a6964

contrib/systemd/watchdog.service

@@ -0,0 +1,53 @@
+[Unit]
+Description=Watchdog Privacy Analytics
+Documentation=https://github.com/notashelf/watchdog
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=watchdog
+Group=watchdog
+
+ExecStart=watchdog -config /etc/watchdog/config.yaml
+
+Restart=on-failure
+RestartSec=5s
+
+# State directory for HLL persistence
+StateDirectory=watchdog
+WorkingDirectory=/var/lib/watchdog
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+
+# File system protections
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/watchdog
+
+# Capabilities
+AmbientCapabilities=
+CapabilityBoundingSet=
+
+# Sandboxing
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+PrivateMounts=true
+
+# System call filtering
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target

contrib/systemd/watchdog.sysusers

@@ -0,0 +1,2 @@
+#Type Name     ID             GECOS                    Home directory      Shell
+u     watchdog -              "Watchdog Analytics"     /var/lib/watchdog   /usr/sbin/nologin

contrib/systemd/watchdog.tmpfiles

@@ -0,0 +1,3 @@
+#Type Path                Mode User     Group    Age Argument
+d     /var/lib/watchdog   0750 watchdog watchdog -   -
+d     /etc/watchdog       0755 root     root     -   -