From e473a3fd8a32595064549acde4eb54cfadf2b50a Mon Sep 17 00:00:00 2001
From: Mark Mennell <markmnl@outlook.com>
Date: Fri, 17 Apr 2026 22:21:16 +0800
Subject: [PATCH 1/4] improved systemd example

---
 README.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 48 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 0fd9882..c1d5c4a 100644
--- a/README.md
+++ b/README.md
@@ -63,28 +63,72 @@ An example systemd service to run fmsgd as a service on startup
 
 ASSUMES: 
 * Directory `/opt/fmsgd` has been created and contains built executable: `fmsgd`
-* Text file `/opt/fmsgd/env` exists containing environment variables
+* Text file `/opt/fmsgd/env` exists containing environment variables (example below)
 * User `fmsg` has been created and has
     - read and execute permissions to `/opt/fmsgd/`, e.g. with `chown -R fmsg:fmsg /opt/fmsgd` after `mkdir /opt/fmsgd`
     - write permissions to FMSG_DATA_DIR
+* Directory `/var/lib/fmsgd` has been created and owned by fmsg
 
 `/etc/systemd/system/fmsgd.service`
 
 ```
 [Unit]
 Description=fmsg Host
-After=network.target
+After=network-online.target
+Wants=network-online.target
 
 [Service]
-EnvironmentFile=/opt/fmsgd/env
-ExecStart=/opt/fmsgd/fmsgd "0.0.0.0"
+Type=simple
+
 User=fmsg
 Group=fmsg
 
+EnvironmentFile=/opt/fmsgd/env
+
+ExecStart=/opt/fmsgd/fmsgd 0.0.0.0
+WorkingDirectory=/opt/fmsgd
+
+Restart=on-failure
+RestartSec=3
+
+# --- Filesystem access ---
+ReadWritePaths=/opt/fmsgd
+ReadWritePaths=/var/lib/fmsgd
+
+# --- Hardening ---
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+
+# --- Logging ---
+StandardOutput=journal
+StandardError=journal
+
 [Install]
 WantedBy=multi-user.target
 ```
 
+```
+FMSG_DATA_DIR=/var/lib/fmsgd/
+FMSG_DOMAIN=example.com
+FMSG_ID_URL=http://127.0.0.1:8080
+
+
+FMSG_MAX_MSG_SIZE=10240
+FMSG_MAX_PAST_TIME_DELTA=604800
+FMSG_MAX_FUTURE_TIME_DELTA=300
+FMSG_MIN_DOWNLOAD_RATE=5000
+FMSG_MIN_UPLOAD_RATE=5000
+FMSG_READ_BUFFER_SIZE=1600
+
+PGHOST=127.0.0.1
+PGPORT=5432
+PGUSER=
+PGPASSWORD=
+PGDATABASE=fmsgd
+```
+
 ```
 sudo systemctl daemon-reload
 sudo systemctl enable fmsgd

From b9118994e0091d04b48ff73444cb0dd93cef0b13 Mon Sep 17 00:00:00 2001
From: Mark Mennell <markmnl@outlook.com>
Date: Fri, 17 Apr 2026 22:21:46 +0800
Subject: [PATCH 2/4] added .env.example

---
 src/.env.example | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 src/.env.example

diff --git a/src/.env.example b/src/.env.example
new file mode 100644
index 0000000..920169b
--- /dev/null
+++ b/src/.env.example
@@ -0,0 +1,22 @@
+# fmsgd Environment Variables
+
+# Required
+FMSG_DATA_DIR=/var/lib/fmsgd/
+FMSG_DOMAIN=example.com
+FMSG_ID_URL=http://127.0.0.1:8080
+
+
+FMSG_MAX_MSG_SIZE=10240
+FMSG_MAX_PAST_TIME_DELTA=604800
+FMSG_MAX_FUTURE_TIME_DELTA=300
+FMSG_MIN_DOWNLOAD_RATE=5000
+FMSG_MIN_UPLOAD_RATE=5000
+FMSG_READ_BUFFER_SIZE=1600
+
+# PostgreSQL connection variables (see https://www.postgresql.org/docs/current/libpq-envars.html)
+PGHOST=127.0.0.1
+PGPORT=5432
+PGUSER=
+PGPASSWORD=
+PGDATABASE=fmsgd
+PGSSLMODE=disable

From 9c18c42739c370c828c2d1f095c6e108a265ffab Mon Sep 17 00:00:00 2001
From: Mark Mennell <markmnl@outlook.com>
Date: Fri, 17 Apr 2026 22:31:54 +0800
Subject: [PATCH 3/4] PrivateTmp=true

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index c1d5c4a..ed313ee 100644
--- a/README.md
+++ b/README.md
@@ -94,6 +94,7 @@ RestartSec=3
 # --- Filesystem access ---
 ReadWritePaths=/opt/fmsgd
 ReadWritePaths=/var/lib/fmsgd
+PrivateTmp=true
 
 # --- Hardening ---
 NoNewPrivileges=true

From 2a5b92cd3471414f89e117f8bbd4c3ec0e419d16 Mon Sep 17 00:00:00 2001
From: Mark Mennell <markmnl@outlook.com>
Date: Fri, 17 Apr 2026 22:38:05 +0800
Subject: [PATCH 4/4] fix checkDomainIP()

---
 src/host.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/host.go b/src/host.go
index ddac2b1..11ef000 100644
--- a/src/host.go
+++ b/src/host.go
@@ -233,7 +233,7 @@ func setDomain() {
 	if !hasValue {
 		log.Panicln("ERROR: FMSG_DOMAIN not set")
 	}
-	_, err := net.LookupHost(domain)
+	_, err := net.LookupHost("fmsg." + domain)
 	if err != nil {
 		log.Panicf("ERROR: FMSG_DOMAIN, %s: %s\n", domain, err)
 	}