From 24e3f92a59b6ab47b80b2c1a86fc7f7954812268 Mon Sep 17 00:00:00 2001
From: Darell Tan <darell.tan@gmail.com>
Date: Fri, 4 Aug 2023 01:16:24 +0800
Subject: [PATCH] Added systemd unit file

The unit file is similar to the one I initially wrote for
regelwerk, which uses DynamicUser to isolate the process.
---
 hapz2m.service | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 hapz2m.service

diff --git a/hapz2m.service b/hapz2m.service
new file mode 100644
index 0000000..4c89cb5
--- /dev/null
+++ b/hapz2m.service
@@ -0,0 +1,26 @@
+[Unit]
+Description=HomeKit to Zigbee2MQTT Bridge
+After=network.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+Type=exec
+ExecStart=/usr/bin/hapz2m -quiet -config /var/lib/hapz2m/hapz2m.conf -db /var/lib/hapz2m/db
+PrivateDevices=yes
+PrivateTmp=yes
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=yes
+RestrictNamespaces=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+
+# hack for DynamicUser readable config file, systemd < 251
+# see https://github.com/systemd/systemd/issues/16060#issuecomment-964168566
+DynamicUser=yes
+StateDirectory=hapz2m
+ExecStartPre=+bash -c "install -p -m 0660 -o $(stat -L -c %%u /var/lib/hapz2m) -t /var/lib/hapz2m/ /etc/hapz2m.conf"
+