feat(packaging): add goreleaser recipe

misc/packaging/systemd/rebound.env

@@ -0,0 +1,6 @@
+REBOUND_ADDRESS=:8080
+REBOUND_HTTP_CUSTOM_DIR=/var/lib/rebound/custom
+REBOUND_SSH_PUBLIC_HOST=rebound
+REBOUND_SSH_PUBLIC_PORT=8080
+REBOUND_SSH_SOCK_DIR=/var/lib/rebound/socks
+REBOUND_SSH_HOST_KEY=/var/lib/rebound/host.key

misc/packaging/systemd/rebound.systemd.service

@@ -0,0 +1,35 @@
+[Unit]
+Description=rebound service
+After=network.target
+
+[Service]
+Type=simple
+Restart=on-failure
+EnvironmentFile=/etc/rebound/environ
+ExecStart=/usr/bin/rebound
+EnvironmentFile=/etc/rebound/environ
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateUsers=yes
+DynamicUser=yes
+StateDirectory=rebound
+DevicePolicy=closed
+ProtectSystem=true
+ProtectHome=read-only
+ProtectKernelLogs=yes
+ProtectProc=invisible
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH  CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_WAKE_ALARM CAP_SYS_TTY_CONFIG 
+
+[Install]
+WantedBy=multi-user.target