Also use some stricter security features systemd provides.
This change from github user John Goerzen @jgoerzen as provided
in his comment:
https://github.com/yggdrasil-network/yggdrasil-go/pull/816#issuecomment-1006679721
ProtectSystem=strict prevents it from modifying basically anything on
the filesystem, so therefore we have to specify the possible locations
for the runtime directory under ReadWritePaths.
The `AdminListen` option and `yggdrasilctl` now default to
`unix:///var/run/yggdrasil/yggdrasil.sock` on Linux
This allows yggdrasil to be run as its own user.
Closes#802
An Internet accessible service should aim to have as little as
possible attack surface, which is much easier to do when running
with the absolute minimum number of priviledges.
This makes the systemd setup run the service as a user 'yggdrasil'
and uses the systemd feature `RuntimeDirectory` to auto-create
the /var/run/yggdrasil dir so our non-elevated client can still
create the socket.
The sysusers file will cause the user be created on first install
using the sysusers subsystem.
* Move yggdrasilctl responses to separate functions
* Move yggdrasilctl request switch to separate function
* Add empty lines
* Create struct CmdLine for yggdrasilctl
* Move yggdrasilctl command line parsing to separate func
* Turn struct CmdLine into CmdLineEnv
* Rename func parseCmdLine to parseFlagsAndArgs
* Move yggdrasilctl endpoint setting logic into separate func
* Function to create yggdrasilctl CmdLineEnv
* Reorder code
* Move struct fields into lines
* Turn yggdrasilctl CmdLineEnv funcs to methods
* Move yggdrasilctl connection code to separate func
* Rename functions
* Move yggdrasilctl command line env to separate mod
* Move yggdrasilctl command line env to main mod
* Run goimports
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
This makes src/address.AddrForKey preallocate 32 bytes before starting
the address derivation. As benches in syg_go show, reallocating temp
takes 20% of the function runtime.
