first commit
This commit is contained in:
15
config/domains.conf.example
Normal file
15
config/domains.conf.example
Normal file
@@ -0,0 +1,15 @@
|
||||
# Domain Allowlist for 18004 Server
|
||||
# One domain per line. Lines starting with # are comments.
|
||||
# These domains are allowed on the restricted SVG/PNG ports.
|
||||
#
|
||||
# The server strips the first subdomain from incoming requests:
|
||||
# Request to qr.example.com -> checks "example.com" against this list
|
||||
# Request to png.mysite.org -> checks "mysite.org" against this list
|
||||
#
|
||||
# Domains can also be added/removed at runtime via the API port:
|
||||
# POST /domains/add {"domain": "newsite.com"}
|
||||
# POST /domains/remove {"domain": "oldsite.com"}
|
||||
# Runtime changes are persisted back to this file.
|
||||
|
||||
example.com
|
||||
mysite.org
|
||||
18
config/server.conf.example
Normal file
18
config/server.conf.example
Normal file
@@ -0,0 +1,18 @@
|
||||
# 18004 Server Configuration
|
||||
# Copy this file to /etc/server18004/server.conf
|
||||
|
||||
# Port for restricted SVG QR code generation
|
||||
port_svg = 4081
|
||||
|
||||
# Port for restricted PNG QR code generation
|
||||
port_png = 4082
|
||||
|
||||
# Port for unrestricted JSON API (generate, domain management)
|
||||
port_api = 4083
|
||||
|
||||
# Port for restricted AVIF QR code generation
|
||||
port_avif = 4084
|
||||
|
||||
# Default domain that is always allowed on restricted ports
|
||||
# (does not need to be in the domains allowlist)
|
||||
default_domain = "example.com"
|
||||
56
config/server18004.service
Normal file
56
config/server18004.service
Normal file
@@ -0,0 +1,56 @@
|
||||
[Unit]
|
||||
Description=QR Code Generation Server (ISO 18004)
|
||||
Documentation=https://github.com/your-org/server18004
|
||||
After=network.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=qrserver
|
||||
Group=qrserver
|
||||
|
||||
# Binary location (adjust after cargo build --release)
|
||||
ExecStart=/usr/local/bin/server18004 \
|
||||
--config-path /etc/server18004/server.conf \
|
||||
--domains-path /etc/server18004/domains.conf
|
||||
|
||||
# Restart policy
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
StartLimitIntervalSec=60
|
||||
StartLimitBurst=5
|
||||
|
||||
# Environment
|
||||
Environment=RUST_LOG=info
|
||||
# Uncomment for debug logging:
|
||||
# Environment=RUST_LOG=debug
|
||||
|
||||
# Security hardening
|
||||
NoNewPrivileges=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
RestrictSUIDSGID=true
|
||||
MemoryDenyWriteExecute=true
|
||||
LockPersonality=true
|
||||
RestrictRealtime=true
|
||||
RestrictNamespaces=true
|
||||
|
||||
# Allow writing to config directory (for domain persistence)
|
||||
ReadWritePaths=/etc/server18004
|
||||
|
||||
# Resource limits
|
||||
LimitNOFILE=65536
|
||||
LimitNPROC=4096
|
||||
|
||||
# Logging
|
||||
StandardOutput=journal
|
||||
StandardError=journal
|
||||
SyslogIdentifier=server18004
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user