From 506f54ede4d523a56d854bcf6c94ea1cf239b68b Mon Sep 17 00:00:00 2001
From: Jose Quintana <joseluisquintana20@gmail.com>
Date: Mon, 26 Jun 2023 20:49:01 +0200
Subject: [PATCH] docs: sws systemd service example [skip ci]

https://www.static-web-server.net/features/file-descriptor-socket-passing/#service-example
---
 docs/content/features/file-descriptor-socket-passing.md | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 systemd/etc_default_static-web-server                   |  4 ++--
 systemd/static-web-server.service                       |  3 +++
 3 files changed, 73 insertions(+), 3 deletions(-)

diff --git a/docs/content/features/file-descriptor-socket-passing.md b/docs/content/features/file-descriptor-socket-passing.md
index 82be743..4949cdd 100644
--- a/docs/content/features/file-descriptor-socket-passing.md
+++ b/docs/content/features/file-descriptor-socket-passing.md
@@ -14,6 +14,67 @@ option.
 
 If you're using `systemd` on Linux, there is a fully working example in the SWS Git repository under the [.`/systemd`](https://github.com/static-web-server/static-web-server/tree/master/systemd) directory.
 
+### Service example
+
+Below is a `systemd` service example. Follow the steps to create an SWS service using HTTP2 (`static-web-server.service`).
+The service will bind SWS to a TCP `443` privileged port without running the server as root.
+
+If you want to change the server port used by the service, edit the value of `ListenStream` in the `static-web-server.socket` file.
+
+The template files can be found in [.`/systemd`](https://github.com/static-web-server/static-web-server/tree/master/systemd) directory.
+
+```sh
+# 1. Copy environment file template
+#    Use an environment variable file, add/modify the values if necessary and
+#    assign the proper owner/permissions to the environment variable file.
+#    TIP: you could skip this step and use a config file if you prefer.
+cp systemd/etc_default_static-web-server /etc/default/static-web-server
+
+# TIP: For example, you could create a `nologin` user with specific privileges.
+
+# 2. Copy service file templates
+cp systemd/static-web-server.s* /etc/systemd/system/
+
+# 3. Make sure that the `EnvironmentFile` and `ExecStart` values
+#    of the service match to the corresponding file paths in the `static-web-server.service` file.
+#    TIP: Use absolute paths. 
+# EnvironmentFile=/etc/default/static-web-server
+# ExecStart=/usr/local/bin/static-web-server --fd 0
+
+# 4. Make sure to change this value with an existing user editing the `static-web-server.service` file.
+# SupplementaryGroups=www-data
+
+# 5. Create/reuse a directory for placing the certificate and private key.
+#    TIP: this is an example, you can create/reuse your own dirs.
+sudo mkdir /etc/static-web-server
+
+# 6. For example purposes, copy the testing cert/key files.
+#    TIP: Use your own cert/key files instead.
+sudo cp tests/tls/local.dev_cert.ecc.pem /etc/static-web-server/
+sudo cp tests/tls/local.dev_key.ecc.pem /etc/static-web-server/
+
+# 7. Create/reuse a root directory (example only)
+sudo mkdir -p /var/www/html
+sudo sh -c 'echo "<h1>Static Web Server is running!</h1>" > /var/www/html/index.html'
+
+# 8. Reload systemd manager configuration
+sudo systemctl daemon-reload
+
+# 9. Start the SWS service
+sudo systemctl start static-web-server.service
+
+# 10. Show the status of the SWS service running
+sudo systemctl status static-web-server.service
+
+# 11. Enable the service to start automatically at boot (optional)
+sudo systemctl enable static-web-server.service
+
+# 12. Analyze and debug the SWS service security
+sudo systemd-analyze security static-web-server.service
+#    If the service was successfully created then you should get something like:
+#    → Overall exposure level for static-web-server.service: 0.6 SAFE 😀
+```
+
 ## Testing
 
 Alternatively, the lightweight [`systemfd`](https://github.com/mitsuhiko/systemfd) utility may be useful, especially for testing purposes.
@@ -21,5 +82,11 @@ Alternatively, the lightweight [`systemfd`](https://github.com/mitsuhiko/systemf
 For example, using `systemfd` utility as follow:
 
 ```sh
-systemfd --no-pid -s http::8091 -- path/to/static-web-server --fd 0
+sudo systemfd --no-pid -s http::8091 -- path/to/static-web-server --fd 0
+```
+
+Or if you want to test using an environment variables file then you could use [Enve](https://github.com/joseluisq/enve).
+
+```sh
+sudo enve -f /path/to/environment.env systemfd --no-pid -s http::443 -- path/to/static-web-server --fd 0
 ```
diff --git a/systemd/etc_default_static-web-server b/systemd/etc_default_static-web-server
index 1e0e952..74c21f3 100644
--- a/systemd/etc_default_static-web-server
+++ b/systemd/etc_default_static-web-server
@@ -1,5 +1,5 @@
 SERVER_ROOT=/var/www/html
 SERVER_HTTP2_TLS=true
-SERVER_HTTP2_TLS_CERT=/etc/static-web-server/example_org_fullchain.pem
-SERVER_HTTP2_TLS_KEY=/etc/static-web-server/example_org_privkey.pem
+SERVER_HTTP2_TLS_CERT=/etc/static-web-server/local.dev_cert.ecc.pem
+SERVER_HTTP2_TLS_KEY=/etc/static-web-server/local.dev_key.ecc.pem
 SERVER_LOG_LEVEL=warn
diff --git a/systemd/static-web-server.service b/systemd/static-web-server.service
index e9a7f02..044b871 100644
--- a/systemd/static-web-server.service
+++ b/systemd/static-web-server.service
@@ -52,7 +52,10 @@ StandardError=journal
 Restart=always
 RestartSec=5
 DynamicUser=true
+
+# Make sure to change this value with an existing user 
 SupplementaryGroups=www-data
+
 NoNewPrivileges=yes
 PrivateTmp=yes
 ProtectSystem=strict
--
libgit2 1.7.2