Drip LogoDrip

Systemd Service

Run Drip server as a system service.

Automatic Setup

The install script creates a systemd service automatically at /etc/systemd/system/drip-server.service.

Manual Setup

Create /etc/systemd/system/drip-server.service:

ini
[Unit]
Description=Drip Tunnel Server
After=network.target

[Service]
Type=simple
User=drip
Group=drip
ExecStart=/usr/local/bin/drip-server \
  --port 443 \
  --domain tunnel.example.com \
  --tls-cert /etc/letsencrypt/live/tunnel.example.com/fullchain.pem \
  --tls-key /etc/letsencrypt/live/tunnel.example.com/privkey.pem \
  --token YOUR_SECRET_TOKEN
Restart=on-failure
RestartSec=10
StandardOutput=journal
StandardError=journal

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/etc/drip

[Install]
WantedBy=multi-user.target

Create Service User

bash
sudo useradd -r -s /bin/false drip

Grant Certificate Access

bash
sudo setfacl -m u:drip:rx /etc/letsencrypt/live
sudo setfacl -m u:drip:rx /etc/letsencrypt/archive
sudo setfacl -m u:drip:r /etc/letsencrypt/live/tunnel.example.com/fullchain.pem
sudo setfacl -m u:drip:r /etc/letsencrypt/live/tunnel.example.com/privkey.pem

Service Management

Start the server:

bash
sudo systemctl start drip-server

Enable auto-start on boot:

bash
sudo systemctl enable drip-server

Check status:

bash
sudo systemctl status drip-server

View logs:

bash
sudo journalctl -u drip-server -f

View recent logs:

bash
sudo journalctl -u drip-server --since "1 hour ago"

Restart after config changes:

bash
sudo systemctl restart drip-server

Using Environment File

Create /etc/drip/server.env:

bash
DRIP_PORT=443
DRIP_DOMAIN=tunnel.example.com
DRIP_TOKEN=your-secret-token
DRIP_TLS_CERT=/etc/letsencrypt/live/tunnel.example.com/fullchain.pem
DRIP_TLS_KEY=/etc/letsencrypt/live/tunnel.example.com/privkey.pem

Secure the file:

bash
sudo chmod 600 /etc/drip/server.env
sudo chown drip:drip /etc/drip/server.env

Add to service file:

ini
[Service]
EnvironmentFile=/etc/drip/server.env
ExecStart=/usr/local/bin/drip-server

Certificate Renewal

Set up automatic reload after Let's Encrypt renewal:

Create /etc/letsencrypt/renewal-hooks/deploy/drip.sh:

bash
#!/bin/bash
systemctl restart drip-server

Make it executable:

bash
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/drip.sh
Behind NginxDocker Deployment