[Feature Request]: Enhance Meshtastic Native Daemon systemd script for better security and resource management

[mgoljak]

Platform

NRF52, ESP32

Description

The current Meshtastic Native Daemon systemd script runs as the root user, which is generally considered a security risk. Additionally, it lacks automatic service restarts in case of failure and doesn't limit resource consumption effectively.

Proposed Changes

• Change the service user and group to a dedicated "meshtastic" user.
• Add the “meshtastic” user to the 995(spi), 994(i2c), and 993(gpio) groups on Raspberry Pi OS.
• Add automatic service restarts on failure.
• Set resource limits (such as CPU weight) to prevent excessive resource usage.
• Add AmbientCapabilities=CAP_NET_BIND_SERVICE to the systemd script.

Example Modified systemd Script

[Unit]
Description=Meshtastic Native Daemon
After=network-online.target

[Service]
User=meshtastic
Group=meshtastic
Type=simple
ExecStart=/usr/sbin/meshtasticd
Restart=on-failure
RestartSec=5s
StartLimitBurst=2
StartLimitInterval=150s
Nice=10
CPUWeight=1
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Please review and provide feedback!