add buffyboard systemd service

this is an optional feature. systemd distributions wishing to deploy
buffyboard may add `WantedBy=default.target` to the Install section.

buffyboard/buffyboard.service.in

@@ -0,0 +1,38 @@
+[Unit]
+Documentation=https://gitlab.postmarketos.org/postmarketOS/buffybox
+
+[Service]
+ExecStart=@bindir@/buffyboard
+Restart=on-failure
+
+# Allow access to input devices, framebuffer, tty
+DevicePolicy=closed
+DeviceAllow=/dev/uinput rw
+DeviceAllow=char-fb rw
+DeviceAllow=char-input rw
+DeviceAllow=char-tty rw
+# udev requires some limited networking
+RestrictAddressFamilies=AF_NETLINK
+
+# Hardening
+CapabilityBoundingSet=
+NoNewPrivileges=true
+RestrictSUIDSGID=true
+PrivateMounts=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RemoveIPC=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
+SystemCallFilter=~@resources

buffyboard/meson.build

@@ -24,3 +24,13 @@ executable('buffyboard',
 
 install_data('buffyboard.conf', install_dir: get_option('sysconfdir'))
 
+
+configure_file(
+  input : 'buffyboard.service.in',
+  output : 'buffyboard.service',
+  install : true,
+  install_dir : get_option('libdir') / 'systemd/system',
+  configuration : {
+    'bindir' : get_option('prefix') / get_option('bindir'),
+  },
+)