Add systemd service unit file

Installs to /lib/systemd/system/.  Includes security hardening
directives: NoNewPrivileges, ProtectSystem=strict, PrivateTmp,
PrivateDevices, MemoryDenyWriteExecute, and others.

Author: renaudallard

Makefile

@@ -5,6 +5,7 @@ CFLAGS +=	-Wall -Wextra -Werror -pedantic -std=c99
 PREFIX ?=	/usr/local
 BINDIR ?=	$(PREFIX)/bin
 MANDIR ?=	$(PREFIX)/share/man
+UNITDIR ?=	/lib/systemd/system
 
 all: thinproxy
 
@@ -16,10 +17,13 @@ install: thinproxy
 	install -m 755 thinproxy $(DESTDIR)$(BINDIR)/
 	install -d $(DESTDIR)$(MANDIR)/man8
 	install -m 644 thinproxy.8 $(DESTDIR)$(MANDIR)/man8/
+	install -d $(DESTDIR)$(UNITDIR)
+	install -m 644 thinproxy.service $(DESTDIR)$(UNITDIR)/
 
 uninstall:
 	rm -f $(DESTDIR)$(BINDIR)/thinproxy
 	rm -f $(DESTDIR)$(MANDIR)/man8/thinproxy.8
+	rm -f $(DESTDIR)$(UNITDIR)/thinproxy.service
 
 clean:
 	rm -f thinproxy

README.md

@@ -41,6 +41,13 @@ The default prefix is `/usr/local`. Override with:
 make install PREFIX=/usr DESTDIR=/tmp/pkg
 ```
 
+A systemd unit file is installed to `/lib/systemd/system/`. To enable:
+
+```sh
+sudo systemctl daemon-reload
+sudo systemctl enable --now thinproxy
+```
+
 ## Usage
 
 ```

thinproxy.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=thinproxy lightweight HTTP/HTTPS proxy
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/thinproxy -f /etc/thinproxy.conf
+Restart=on-failure
+RestartSec=5
+
+# Security hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+ReadOnlyPaths=/etc/thinproxy.conf
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+
+[Install]
+WantedBy=multi-user.target