markmnl · markmnl · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026
diff --git a/README.md b/README.md
@@ -63,28 +63,73 @@ An example systemd service to run fmsgd as a service on startup
 
 ASSUMES: 
 * Directory `/opt/fmsgd` has been created and contains built executable: `fmsgd`
-* Text file `/opt/fmsgd/env` exists containing environment variables
+* Text file `/opt/fmsgd/env` exists containing environment variables (example below)
 * User `fmsg` has been created and has
     - read and execute permissions to `/opt/fmsgd/`, e.g. with `chown -R fmsg:fmsg /opt/fmsgd` after `mkdir /opt/fmsgd`
     - write permissions to FMSG_DATA_DIR
+* Directory `/var/lib/fmsgd` has been created and owned by fmsg
 
 `/etc/systemd/system/fmsgd.service`
 
 ```
 [Unit]
 Description=fmsg Host
-After=network.target
+After=network-online.target
+Wants=network-online.target
 
 [Service]
-EnvironmentFile=/opt/fmsgd/env
-ExecStart=/opt/fmsgd/fmsgd "0.0.0.0"
+Type=simple
+
 User=fmsg
 Group=fmsg
 
+EnvironmentFile=/opt/fmsgd/env
+
+ExecStart=/opt/fmsgd/fmsgd 0.0.0.0
+WorkingDirectory=/opt/fmsgd
+
+Restart=on-failure
+RestartSec=3
+
+# --- Filesystem access ---
+ReadWritePaths=/opt/fmsgd
-ReadWritePaths=/opt/fmsgd
-ReadWritePaths=/opt/fmsgd
+ReadWritePaths=/var/lib/fmsgd
+PrivateTmp=true
+
+# --- Hardening ---
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+
+# --- Logging ---
+StandardOutput=journal
+StandardError=journal
+
 [Install]
 WantedBy=multi-user.target
 ```
 
+```
+FMSG_DATA_DIR=/var/lib/fmsgd/
+FMSG_DOMAIN=example.com
+FMSG_ID_URL=http://127.0.0.1:8080
+
+
+FMSG_MAX_MSG_SIZE=10240
+FMSG_MAX_PAST_TIME_DELTA=604800
+FMSG_MAX_FUTURE_TIME_DELTA=300
+FMSG_MIN_DOWNLOAD_RATE=5000
+FMSG_MIN_UPLOAD_RATE=5000
+FMSG_READ_BUFFER_SIZE=1600
+
+PGHOST=127.0.0.1
+PGPORT=5432
+PGUSER=
+PGPASSWORD=
+PGDATABASE=fmsgd
+```
+
 ```
-```
-FMSG_DATA_DIR=/var/lib/fmsgd/
-FMSG_DOMAIN=example.com
-FMSG_ID_URL=http://127.0.0.1:8080
-
-
-FMSG_MAX_MSG_SIZE=10240
-FMSG_MAX_PAST_TIME_DELTA=604800
-FMSG_MAX_FUTURE_TIME_DELTA=300
-FMSG_MIN_DOWNLOAD_RATE=5000
-FMSG_MIN_UPLOAD_RATE=5000
-FMSG_READ_BUFFER_SIZE=1600
-
-PGHOST=127.0.0.1
-PGPORT=5432
-PGUSER=
-PGPASSWORD=
-PGDATABASE=fmsgd
-```
-
-```
+See `src/.env.example` for the canonical environment-variable example and the full, current set of `FMSG_*` and PostgreSQL `PG*` variables to configure.
+
-```
-FMSG_DATA_DIR=/var/lib/fmsgd/
-FMSG_DOMAIN=example.com
-FMSG_ID_URL=http://127.0.0.1:8080
-
-
-FMSG_MAX_MSG_SIZE=10240
-FMSG_MAX_PAST_TIME_DELTA=604800
-FMSG_MAX_FUTURE_TIME_DELTA=300
-FMSG_MIN_DOWNLOAD_RATE=5000
-FMSG_MIN_UPLOAD_RATE=5000
-FMSG_READ_BUFFER_SIZE=1600
-
-PGHOST=127.0.0.1
-PGPORT=5432
-PGUSER=
-PGPASSWORD=
-PGDATABASE=fmsgd
-```
-
-```
+See `src/.env.example` for the canonical environment-variable example and the full, current set of `FMSG_*` and PostgreSQL `PG*` variables to configure.
+
 sudo systemctl daemon-reload
 sudo systemctl enable fmsgd

diff --git a/src/.env.example b/src/.env.example
@@ -0,0 +1,22 @@
+# fmsgd Environment Variables
+
+# Required
+FMSG_DATA_DIR=/var/lib/fmsgd/
+FMSG_DOMAIN=example.com
+FMSG_ID_URL=http://127.0.0.1:8080
+
+
+FMSG_MAX_MSG_SIZE=10240
+FMSG_MAX_PAST_TIME_DELTA=604800
+FMSG_MAX_FUTURE_TIME_DELTA=300
+FMSG_MIN_DOWNLOAD_RATE=5000
+FMSG_MIN_UPLOAD_RATE=5000
+FMSG_READ_BUFFER_SIZE=1600
+
+# PostgreSQL connection variables (see https://www.postgresql.org/docs/current/libpq-envars.html)
+PGHOST=127.0.0.1
+PGPORT=5432
+PGUSER=
+PGPASSWORD=
+PGDATABASE=fmsgd
+PGSSLMODE=disable
-PGSSLMODE=disable
+# Use disable only for local socket or trusted localhost development.
+PGSSLMODE=require
-PGSSLMODE=disable
+# Use disable only for local socket or trusted localhost development.
+PGSSLMODE=require
diff --git a/src/host.go b/src/host.go
@@ -233,7 +233,7 @@ func setDomain() {
 	if !hasValue {
 		log.Panicln("ERROR: FMSG_DOMAIN not set")
 	}
-	_, err := net.LookupHost(domain)
+	_, err := net.LookupHost("fmsg." + domain)
 	if err != nil {
 		log.Panicf("ERROR: FMSG_DOMAIN, %s: %s\n", domain, err)
 	}