Systemd unit for kanata [Linux]

[ibnishak]

1. Edit the following as necessary, and save it as ~/.config/systemd/user/kanata.service

[Unit]
Description=Kanata keyboard remapper
Documentation=https://github.com/jtroo/kanata

[Service]
Environment=PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/bin
Environment=DISPLAY=:0
Environment=HOME=/path/to/home/folder
Type=simple
ExecStart=/usr/local/bin/kanata --cfg /path/to/kanata/config/file
Restart=never

[Install]
WantedBy=default.target

2. Run systemctl --user start kanata.service to start kanata daemon
3. Run systemctl --user enable kanata.service so it may autostart whenever the current user logs in.
4. Run systemctl --user status kanata.service to check if kanata daemon is running or not.

[roadkell]

Seems like Restart=never should actually be Restart=no: https://www.freedesktop.org/software/systemd/man/systemd.service.html#Restart=

[Lewenhaupt]

Unable to get this to work, can't find any devices. Maybe it runs with the wrong user?

[amospalla]

A standard user can not access to raw input devices, thus kanata must be running under root user, or under some user with privileges to read /dev/input/* files.

[Lewenhaupt]

Yeah but I followed the guide to avoid having to run it as sudo. And I can now run it as my own user (the same that runs the daemon) but it doesn't work in the daemon, only when I run it directly.

[YellaGoya]

checked error log

[ERROR] Failed to open the output uinput device. Make sure you've added the user executing kanata to the uinput group

systemd runs as root, so i blindly added root to the input, uinput groups
=> This is a meaningless behavior, root can do anything without being added to a specific permission group.

too early to get uinput?

I wondered if the service was started at an early time when uinput could not be found,
so I used kanata.timer to trigger kanata.service 30 seconds after the laptop booted.
=> At first, it worked, but after a week, it suddenly stopped working, and no matter what user I used,
systemd only showed the error above.

solution

I made the kernel load the uinput module into memory first, and suddenly it worked.
I'm using it in a rocky linux 9.3 environment.
I hope this helps.

add ExecStartPre=/sbin/modprobe uinput at [Service]

[Unit]
Description=Kanata Service

[Service]
ExecStartPre=/sbin/modprobe uinput
ExecStart=/path/to/kanata -c /path/to/kanata.kbd
Restart=no

[Install]
WantedBy=multi-user.target

[KoshulaDora]

For whoever that gets code 13 premission denied when trying to make systemd service run, consider putting it in etc/systemd/services/system/ instead. For some reason this makes the linux-x11-repeat-delay-rate a bit finicky if not outright unresponsive, you can mitigate that with a xset r rate <delay> <repeat> in your autostart.sh or whatever your wm/de uses.

[Andrew15-5]

I didn't want to fight with permissions and all that stuff, so I made a system-wide config (/lib/systemd/system/kanata.service) without the (it looks like) useless Environment entries:

[Unit]
Description=Kanata keyboard remapper
Documentation=https://github.com/jtroo/kanata

[Service]
Type=simple
ExecStart=/home/user/.cargo/bin/kanata --cfg /home/user/.config/kanata/config-name.kbd
Restart=never

[Install]
WantedBy=default.target

Also did this:

# sudo systemctl daemon-reload # maybe this will be required when changing the service file
sudo systemctl start kanata
sudo systemctl enable kanata

[mattiasb]

What am I supposed to do with s/Environment/Environment?

I'm sorry, my bad!.

The s/string/replacement thing is a regular expression that basically says "Replace string with replacement".

Writing a regex like that instead of saying "You misspelled this word" is programmer jargon.

TL;DR: This is how I should've answered instead:

---

That keyword is useless. When I set it like this: Enviroment=PATH=/home/aljustiet/.cargo/bin it still chooses the one in /usr/bin.

You misspelled "Environment" (you're missing an "n").

Try changing Enviroment=PATH=/home/aljustiet/.cargo/bin to Environment=PATH=/home/aljustiet/.cargo/bin

[aljustiet]

What am I supposed to do with s/Environment/Environment?

I'm sorry, my bad!.

The s/string/replacement thing is a regular expression that basically says "Replace string with replacement".

Writing a regex like that instead of saying "You misspelled this word" is programmer jargon.

TL;DR: This is how I should've answered instead:

That keyword is useless. When I set it like this: Enviroment=PATH=/home/aljustiet/.cargo/bin it still chooses the one in /usr/bin.

You misspelled "Environment" (you're missing an "n").

Try changing Enviroment=PATH=/home/aljustiet/.cargo/bin to Environment=PATH=/home/aljustiet/.cargo/bin

I see. 🫠
But that still doesn't work.
With ExecSearchPath, it detects the kanata binary in the home folder, but can't include config file with it.

[mattiasb]

I believe it works in the sense that I intended.
That is: it corrects the misspelling and sets the PATH environment variable correctly.

I believe what you're trying to show in that video clip is that I didn't solve the issue
with having to provide the path to the config file. To be absolutely clear I wasn't invested in that issue at all. All I wanted to do was to unblock you with that "Enviroment" misspelling since I know how frustrating those can be.

Anyhow. I read some more from man systemd.exec for you and I believe this should do what you want:

[Unit]
Description=Kanata keyboard remapper
Documentation=https://github.com/jtroo/kanata

[Service]
Type=simple
ExecSearchPath=/home/aljustiet/.cargo/bin
WorkingDirectory=/home/aljustiet/.dotfiles/Keyboard-Remapping
ExecStart=kanata --nodelay --cfg ./kanata.lsp
Restart=no

[Install]
WantedBy=multi-user.target

If you have follow up questions, please check the man pages firs. :)

[mhantsch]

please check the man pages firs

s/$/t/ 😉

[mattiasb]

please check the man pages firs

s/$/t/ 😉

Touché! 😂

[zen2]

For non systemd users:

1. with a bash script

/usr/local/bin/kanata-daemon.sh

#!/bin/bash

mycmd="/usr/local/bin/kanata --cfg /path/to/kanata/config/file"
mypid="$TMP/kanata.pid"
mylog="/dev/null" # change for a log file

case "$1" in
  start)
    if [ -e "$mypid" ]; then
      echo "kanata is already running"
      exit 1
    else
      nohup $mycmd &> "$mylog" &
      echo $! > $mypid
      echo "kanata have started in background"
    fi
    ;;
  stop)
    if [ -e "$mypid" ]; then
      kill -15 $(cat "$mypid")
      rm "$mypid"
      echo "kanata have stopped"
    else
      echo "kanata is not running"
      exit 2
    fi
    ;;
  status)
    if [ -e "$mypid" ]; then
      echo "kanata is running"
    else
      echo "kanata is stopped"
    fi
    ;;
  *)
    echo "$(basename $0) start|stop|status"
    ;;
esac

2. with start-stop-daemon

start-stop-daemon --start --background -- /usr/local/bin/kanata --cfg /path/to/kanata/config/file
start-stop-daemon --stop /usr/local/bin/kanata

[Yvan-Masson]

Thanks everyone for sharing. I was quite afraid to run such a program designed to process everything that is typed, so here is my step by step configuration on a Ubuntu 20.04 host, with a dedicated kanata user and a hardened systemd service configuration, to use without the Kanata TCP server:

# allow a dedicated user group to use uinput kernel module
sudo groupadd uinput
sudo echo 'KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput"' | sudo tee /etc/udev/rules.d/50-kanata.rules > /dev/null
# create the kanata user
sudo useradd --no-create-home --groups input,uinput --shell /bin/false --user-group kanata
# "install" kanata
sudo wget -O /usr/local/bin/kanata https://github.com/jtroo/kanata/releases/download/v1.7.0/kanata
sudo chown root:kanata /usr/local/bin/kanata
sudo chmod 754 /usr/local/bin/kanata
# create systemd unit
sudo echo "[Unit]
Description=Kanata keyboard remapper
Documentation=https://github.com/jtroo/kanata
[email protected]
[email protected]

[Service]
Type=simple
User=kanata
ExecStart=/usr/local/bin/kanata --quiet --cfg /my/kanata/config.kbd
Restart=no
# Security
CapabilityBoundingSet=
DeviceAllow=/dev/uinput rw
DeviceAllow=char-input
DeviceAllow=/dev/stdin
DevicePolicy=strict
PrivateDevices=true
BindPaths=/dev/uinput
BindReadOnlyPaths=/dev/stdin
BindReadOnlyPaths=/dev/input/
InaccessiblePaths=/dev/shm
LockPersonality=true
NoNewPrivileges=true
PrivateTmp=true
PrivateNetwork=true
PrivateUsers=true
# The following can not be enabled, otherwise Kanata can not open /dev/uinput.
# More hardening would require to explicitly list allowed system calls.
#ProtectClock=true
ProtectHome=true
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectSystem=strict
ProtectControlGroups=true
# Allow only on AddressFamily and then deny it to effectively deny everything
RestrictAddressFamilies=AF_AX25
RestrictAddressFamilies=~AF_AX25
RestrictNamespaces=true
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
RemoveIPC=true
IPAddressDeny=any
RestrictSUIDSGID=true
RestrictRealtime=true
MemoryDenyWriteExecute=true
UMask=0077" | sudo tee /etc/systemd/system/kanata.service > /dev/null
sudo systemctl daemon-reload

Enable the systemd unit if you want it to start automatically: sudo systemctl enable kanata.service

Finally reboot the system.