git » gofer » commit 18c285d

etc: Simplify systemd example config

author Alberto Bertogli
2022-10-08 00:09:39 UTC
committer Alberto Bertogli
2022-10-09 11:34:34 UTC
parent bcf593dfa9b906bf5d78aa157192f4b52ca07834
etc: Simplify systemd example config

This patch simplifies the systemd example config, by giving gofer
capabilities to bind to privileged ports (so there's no need for the
additional descriptor passing), and sets up the user and logs directory.

That way we simplify the install process (and configuration) for the
most common use cases.
etc/gofer.yaml +6 -4
etc/systemd/gofer-http.socket +0 -5
etc/systemd/gofer-https.socket +0 -5
etc/systemd/gofer.service +15 -2 
diff --git a/etc/gofer.yaml b/etc/gofer.yaml
index 998bb9e..1d27d9b 100644
--- a/etc/gofer.yaml
+++ b/etc/gofer.yaml
@@ -29,7 +29,7 @@ http:
   # systemd socket passing is supported, use "&name" to indicate that you've
   # set up a systemd socket unit with "FileDescriptorName=name".
   # Examples: ":80", "127.0.0.1:8080", "&http".
-  "&http":
+  ":80":
     # Routes indicate how to handle each request based on its path.
     # The path have the semantics of http.ServeMux.
     routes:
@@ -85,7 +85,7 @@ http:
 
 # HTTPS servers.
 https:
-  "&https":
+  ":443":
     # Automatically get TLS certificates.
     # Using this implies acceptance of LetsEncrypt's terms of service (or the
     # selected CA).
@@ -113,9 +113,11 @@ https:
     # The rest of the fields are the same as for http above.
     routes:
       "/":
-        proxy: "http://localhost:8080/"
+        dir: "/srv/www/"
       "/local/":
-        proxy: "http://localhost:99/"
+        proxy: "http://localhost:8099/"
+      "www.mysite.com/":
+        redirect: "https://mysite.com/"
 
 
 # Raw socket proxying.
diff --git a/etc/systemd/gofer-http.socket b/etc/systemd/gofer-http.socket
deleted file mode 100644
index 42c3009..0000000
--- a/etc/systemd/gofer-http.socket
+++ /dev/null
@@ -1,5 +0,0 @@
-[Socket]
-ListenStream=80
-FileDescriptorName=http
-Service=gofer.service
-
diff --git a/etc/systemd/gofer-https.socket b/etc/systemd/gofer-https.socket
deleted file mode 100644
index 7248a1e..0000000
--- a/etc/systemd/gofer-https.socket
+++ /dev/null
@@ -1,5 +0,0 @@
-[Socket]
-ListenStream=443
-FileDescriptorName=https
-Service=gofer.service
-
diff --git a/etc/systemd/gofer.service b/etc/systemd/gofer.service
index 659bf93..e53c2c0 100644
--- a/etc/systemd/gofer.service
+++ b/etc/systemd/gofer.service
@@ -1,6 +1,5 @@
 [Unit]
-Description=gofer proxy
-Requires=gofer-http.socket gofer-https.socket
+Description=gofer web server and reverse proxy
 
 [Service]
 ExecStart=/usr/local/bin/gofer -configfile=/etc/gofer.yaml
@@ -10,6 +9,20 @@ Restart=always
 
 User=gofer
 Group=gofer
+DynamicUser=true
+
+# Allow gofer to write in /var, since it is a common destination for logs.
+ReadWritePaths=/var
+
+# Cache directory, used by autocerts.
+CacheDirectory=gofer
+
+# Logs directory, for convenience.
+# To use this, configure reqlogs to be inside /var/log/gofer/.
+LogsDirectory=gofer
+
+# Let gofer listen on ports < 1024.
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 
 # Simple security measures just in case.
 ProtectSystem=full