Example Linux Setup with Systemd

Overview

These instructions will give you a flexible and secure setup for Piqueserver that starts automatically at boot, restarts on crashes, and collects logs.

It also allows you to run as many instances as you want in parallel.

Instructions

Install latest piqueserver using pip or whatever other method you like.

# pip3 install piqueserver

Create a dedicated directory for piqueserver data. You can put this anywhere you like. It is a good idea to put some identifier for your server, such as ctf in the folder name, in case you want to create more server configs in the future.

# mkdir -p /var/lib/piqueserver/servername/

We want a seperate group to be able to restrict permissions in a more granular way

# groupadd --system piqueserver

Optionally join your own user to the piqueserver group to be able to edit files in the piqueserver directory freely.

# usermod -a -G piqueserver yourusername

We want to copy the default config directory over.

# piqueserver --copy-config -d /var/lib/piqueserver/servername

Edit a new file, /etc/systemd/system/piqueserver@.service and insert the following contents.

[Unit]
Description=Piqueserver

[Service]
ExecStart=/usr/local/bin/piqueserver -d /var/lib/piqueserver/%i
User=piqueserver
Group=piqueserver
Restart=always

# Security Sandbox Settings
Group=piqueserver
DynamicUser=true
# only allow access to the state folder, nothing else
ProtectHome=true
TemporaryFileSystem=/var:ro
PrivateDevices=true
StateDirectory=piqueserver/%i

# disallow any unusual syscalls
SystemCallFilter=@system-service

[Install]
WantedBy=network.target

You can now start, stop, and see the status of the process using systemctl.

# systemctl start [email protected]
# systemctl stop [email protected]
# systemctl status [email protected]

You will probably want to start the server at boot. To do this, run:

# systemctl enable [email protected]

To tail the logs, run

# journalctl -f -u [email protected]