Systemd unit for kanata [Linux]

[ibnishak]

1. Edit the following as necessary, and save it as ~/.config/systemd/user/kanata.service

[Unit]
Description=Kanata keyboard remapper
Documentation=https://github.com/jtroo/kanata

[Service]
Environment=PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/bin
Environment=DISPLAY=:0
Environment=HOME=/path/to/home/folder
Type=simple
ExecStart=/usr/local/bin/kanata --cfg /path/to/kanata/config/file
Restart=never

[Install]
WantedBy=default.target

2. Run systemctl --user start kanata.service to start kanata daemon
3. Run systemctl --user enable kanata.service so it may autostart whenever the current user logs in.
4. Run systemctl --user status kanata.service to check if kanata daemon is running or not.

[roadkell]

Seems like Restart=never should actually be Restart=no: https://www.freedesktop.org/software/systemd/man/systemd.service.html#Restart=

[Lewenhaupt]

Unable to get this to work, can't find any devices. Maybe it runs with the wrong user?

[amospalla]

A standard user can not access to raw input devices, thus kanata must be running under root user, or under some user with privileges to read /dev/input/* files.

[Lewenhaupt]

Yeah but I followed the guide to avoid having to run it as sudo. And I can now run it as my own user (the same that runs the daemon) but it doesn't work in the daemon, only when I run it directly.

[YellaGoya]

checked error log

[ERROR] Failed to open the output uinput device. Make sure you've added the user executing kanata to the uinput group

systemd runs as root, so i blindly added root to the input, uinput groups
=> This is a meaningless behavior, root can do anything without being added to a specific permission group.

too early to get uinput?

I wondered if the service was started at an early time when uinput could not be found,
so I used kanata.timer to trigger kanata.service 30 seconds after the laptop booted.
=> At first, it worked, but after a week, it suddenly stopped working, and no matter what user I used,
systemd only showed the error above.

solution

I made the kernel load the uinput module into memory first, and suddenly it worked.
I'm using it in a rocky linux 9.3 environment.
I hope this helps.

add ExecStartPre=/sbin/modprobe uinput at [Service]

[Unit]
Description=Kanata Service

[Service]
ExecStartPre=/sbin/modprobe uinput
ExecStart=/path/to/kanata -c /path/to/kanata.kbd
Restart=no

[Install]
WantedBy=multi-user.target

[KoshulaDora]

For whoever that gets code 13 premission denied when trying to make systemd service run, consider putting it in etc/systemd/services/system/ instead. For some reason this makes the linux-x11-repeat-delay-rate a bit finicky if not outright unresponsive, you can mitigate that with a xset r rate <delay> <repeat> in your autostart.sh or whatever your wm/de uses.

[Andrew15-5]

I didn't want to fight with permissions and all that stuff, so I made a system-wide config (/lib/systemd/system/kanata.service) without the (it looks like) useless Environment entries:

[Unit]
Description=Kanata keyboard remapper
Documentation=https://github.com/jtroo/kanata

[Service]
Type=simple
ExecStart=/home/user/.cargo/bin/kanata --cfg /home/user/.config/kanata/config-name.kbd
Restart=never

[Install]
WantedBy=default.target

Also did this:

# sudo systemctl daemon-reload # maybe this will be required when changing the service file
sudo systemctl start kanata
sudo systemctl enable kanata

[aljustiet]

What am I supposed to do with s/Environment/Environment?

I'm sorry, my bad!.

The s/string/replacement thing is a regular expression that basically says "Replace string with replacement".

Writing a regex like that instead of saying "You misspelled this word" is programmer jargon.

TL;DR: This is how I should've answered instead:

That keyword is useless. When I set it like this: Enviroment=PATH=/home/aljustiet/.cargo/bin it still chooses the one in /usr/bin.

You misspelled "Environment" (you're missing an "n").

Try changing Enviroment=PATH=/home/aljustiet/.cargo/bin to Environment=PATH=/home/aljustiet/.cargo/bin

I see. 🫠
But that still doesn't work.
With ExecSearchPath, it detects the kanata binary in the home folder, but can't include config file with it.

[mattiasb]

I believe it works in the sense that I intended.
That is: it corrects the misspelling and sets the PATH environment variable correctly.

I believe what you're trying to show in that video clip is that I didn't solve the issue
with having to provide the path to the config file. To be absolutely clear I wasn't invested in that issue at all. All I wanted to do was to unblock you with that "Enviroment" misspelling since I know how frustrating those can be.

Anyhow. I read some more from man systemd.exec for you and I believe this should do what you want:

[Unit]
Description=Kanata keyboard remapper
Documentation=https://github.com/jtroo/kanata

[Service]
Type=simple
ExecSearchPath=/home/aljustiet/.cargo/bin
WorkingDirectory=/home/aljustiet/.dotfiles/Keyboard-Remapping
ExecStart=kanata --nodelay --cfg ./kanata.lsp
Restart=no

[Install]
WantedBy=multi-user.target

If you have follow up questions, please check the man pages firs. :)

[mhantsch]

please check the man pages firs

s/$/t/ 😉

[mattiasb]

please check the man pages firs

s/$/t/ 😉

Touché! 😂

[ADIX7]

I got Failed to open the output uinput device. Make sure you added the user executing kanata to the 'uinput' group and that the 'uinpu..., the official documentation had the solution: ExecStart=/usr/bin/sh -c '...'

[zen2]

For non systemd users:

1. with a bash script

/usr/local/bin/kanata-daemon.sh

#!/bin/bash

mycmd="/usr/local/bin/kanata --cfg /path/to/kanata/config/file"
mypid="$TMP/kanata.pid"
mylog="/dev/null" # change for a log file

case "$1" in
  start)
    if [ -e "$mypid" ]; then
      echo "kanata is already running"
      exit 1
    else
      nohup $mycmd &> "$mylog" &
      echo $! > $mypid
      echo "kanata have started in background"
    fi
    ;;
  stop)
    if [ -e "$mypid" ]; then
      kill -15 $(cat "$mypid")
      rm "$mypid"
      echo "kanata have stopped"
    else
      echo "kanata is not running"
      exit 2
    fi
    ;;
  status)
    if [ -e "$mypid" ]; then
      echo "kanata is running"
    else
      echo "kanata is stopped"
    fi
    ;;
  *)
    echo "$(basename $0) start|stop|status"
    ;;
esac

2. with start-stop-daemon

start-stop-daemon --start --background -- /usr/local/bin/kanata --cfg /path/to/kanata/config/file
start-stop-daemon --stop /usr/local/bin/kanata

[Yvan-Masson]

Thanks everyone for sharing. I was quite afraid to run such a program designed to process everything that is typed, so here is my step by step configuration on a Ubuntu 20.04 host, with a dedicated kanata user and a hardened systemd service configuration, to use without the Kanata TCP server:

# allow a dedicated user group to use uinput kernel module
sudo groupadd uinput
sudo echo 'KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput"' | sudo tee /etc/udev/rules.d/50-kanata.rules > /dev/null
# create the kanata user
sudo useradd --no-create-home --groups input,uinput --shell /bin/false --user-group kanata
# "install" kanata
sudo wget -O /usr/local/bin/kanata https://github.com/jtroo/kanata/releases/download/v1.7.0/kanata
sudo chown root:kanata /usr/local/bin/kanata
sudo chmod 754 /usr/local/bin/kanata
# create systemd unit
sudo echo "[Unit]
Description=Kanata keyboard remapper
Documentation=https://github.com/jtroo/kanata
Wants=modprobe@uinput.service
After=modprobe@uinput.service

[Service]
Type=simple
User=kanata
ExecStart=/usr/local/bin/kanata --quiet --cfg /my/kanata/config.kbd
Restart=no
# Security
CapabilityBoundingSet=
DeviceAllow=/dev/uinput rw
DeviceAllow=char-input
DeviceAllow=/dev/stdin
DevicePolicy=strict
PrivateDevices=true
BindPaths=/dev/uinput
BindReadOnlyPaths=/dev/stdin
BindReadOnlyPaths=/dev/input/
InaccessiblePaths=/dev/shm
LockPersonality=true
NoNewPrivileges=true
PrivateTmp=true
PrivateNetwork=true
PrivateUsers=true
# The following can not be enabled, otherwise Kanata can not open /dev/uinput.
# More hardening would require to explicitly list allowed system calls.
#ProtectClock=true
ProtectHome=true
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectSystem=strict
ProtectControlGroups=true
# Allow only on AddressFamily and then deny it to effectively deny everything
RestrictAddressFamilies=AF_AX25
RestrictAddressFamilies=~AF_AX25
RestrictNamespaces=true
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
RemoveIPC=true
IPAddressDeny=any
RestrictSUIDSGID=true
RestrictRealtime=true
MemoryDenyWriteExecute=true
UMask=0077" | sudo tee /etc/systemd/system/kanata.service > /dev/null
sudo systemctl daemon-reload

Enable the systemd unit if you want it to start automatically: sudo systemctl enable kanata.service

Finally reboot the system.

[brtholomy]

@Yvan-Masson thank you, I'm using this and recommend.

As an overview, there seems to be at least 4 ways to approach this, roughly in order of increasing security:

1. nohup scripts, often run as root
2. systemd system unit run as root, often with no hardening
3. systemd user unit, by adding yourself to the input group. With no hardening, systemd-analyze security gave this a 9.4.
4. systemd system unit running under a dedicated user with hardening, ie this approach. systemd-analyze security gave this a 0.5, so the difference is huge.

NOTE: I was able to get the service to read from my .config/ without exposing anything else:

ProtectHome=tmpfs
BindReadOnlyPaths=/home/user/.config/kanata/

Also I had to add the symlinked /dev/ path:

BindReadOnlyPaths=/dev/%i-keyboard

where the corresponding /etc/udev/rules.d/ rule is simply one of:

ATTRS{name}=="EK68", SYMLINK+="ek68-keyboard"

or on my mac:

SUBSYSTEM=="input", ATTRS{interface}=="Apple Internal Keyboard", SYMLINK+="mac-keyboard"

so that this service file works for both, with the same substitution for the exec:

ExecStart=/usr/bin/kanata --cfg home/user/.config/kanata/kanata-%i.kbd

More about this kind of setup can be found here: kmonad/kmonad#384 (comment)

[rieje]

You guys don't need to change the ownership of the config file for this to work? With the service I keep getting:

[ERROR]   × Failed to include file: Permission denied (os error 13)
[ERROR] failed to parse file

until I sudo chown -R kanata:root /etc/kanata, not sure if this is the best approach (I keep config at /etc/kanata because I want kanata to run as system service so it's available even for root user).

[brtholomy]

@rieje I believe this is the magic you're missing:

BindReadOnlyPaths=/home/user/.config/kanata/

or /etc/kanata/ if you still want that. but shouldn't be necessary.

[ram-xv]

Hi everyone,

I wrote a script to install and setup Kanata with a single command.
This script installs and sets up Kanata with a dedicated user (kanata) and a restricted systemd service for better security.

It pretty much does everything for you. From installation to auto-start at boot.
All you have to do is provide your Kantana .kbd config path in the script.

Prerequisites:

• You need sudo access.
• This script assumes an Ubuntu/Debian-based system.
• Have your Kanata config file somewhere in $HOME directory.
  • ex: ~/dotfiles/kanata/kanata-config.kdb
  • or ~/kanata-config.kdb

Note: The script will copy the provided kanata config file into /etc/kanata/ system directory.

How to create and use the script:

1. Copy the entire shell script provided below.

2. Save the copied text into a file on your computer. Name it something like setup-kanata-hardened.sh.

3. Make the script executable, open your terminal and run:
   chmod +x setup-kanata-hardened.sh

4. Execute the script using sudo:
   sudo ./setup-kanata-hardened.sh

5. The script will perform all steps:

   • install Kanata (v1.7.0)
   • copy your config into system location "/etc/kanata/kanata-config.kbd"
   • create user/group
   • set rules
   • create/enable/start the systemd service.

6. Finally, after running the script, reboot your computer.

This is the script:

#!/bin/bash

# ==============================================================================
# Script to set up Kanata with a dedicated user and hardened systemd service
# ==============================================================================

# CONFIGURATION
#
# REQUIRED: Set the path to your Kanata config relative to $HOME.
# E.g., if your config is at ~/somewhere/my-kanata.kbd, use "somewhere/my-kanata.kbd".
KANATA_CONFIG_REL_PATH="path/to/your/kanata-config.kbd"

# System location where the kanata config file will be placed
# (DO NOT EDIT)
SYSTEM_KANATA_CONFIG_DST="/etc/kanata/kanata-config.kbd"

# Kanata version to download
KANATA_VERSION="v1.7.0"

# Dedicated user/group names
KANATA_USER="kanata"
UINPUT_GROUP="uinput"

# FUNCTION TO PRINT MESSAGES
echoinfo() {
    echo "[INFO] $1"
}
echoerror() {
    echo "[ERROR] $1" >&2
}

# CHECK FOR ROOT/SUDO
if [ "$(id -u)" -ne 0 ]; then
  echoerror "This script must be run with sudo or as root."
  exit 1
fi

# DETERMINE SOURCE CONFIG FILE PATH
# Try finding it relative to the current $HOME (might be /root if using sudo)
USER_KANATA_CONFIG_SRC="$HOME/$KANATA_CONFIG_REL_PATH"

# If not found AND we are using sudo, try finding it relative to the original user's $HOME
if [ ! -f "$USER_KANATA_CONFIG_SRC" ] && [ -n "$SUDO_USER" ]; then
    echoinfo "Config not found via current HOME ($HOME), attempting lookup via SUDO_USER ($SUDO_USER)..."
    SUDO_USER_HOME=$(getent passwd "$SUDO_USER" | cut -d: -f6)

    if [ -z "$SUDO_USER_HOME" ]; then
         echoerror "Could not determine home directory for user $SUDO_USER."
         exit 1
    fi

    ALT_CONFIG_PATH="$SUDO_USER_HOME/$KANATA_CONFIG_REL_PATH"
    echoinfo "Checking alternative path: $ALT_CONFIG_PATH"

    if [ -f "$ALT_CONFIG_PATH" ]; then
        echoinfo "Found config file using SUDO_USER: $ALT_CONFIG_PATH"
        # Update the variable to use the correctly found path
        USER_KANATA_CONFIG_SRC="$ALT_CONFIG_PATH"
    else
        # Config not found in either location
        echoerror "Kanata config file not found at initial path: $HOME/$KANATA_CONFIG_REL_PATH"
        echoerror "And also not found at alternative path: $ALT_CONFIG_PATH"
        echoerror "Please ensure the relative path '$KANATA_CONFIG_REL_PATH' exists in your home directory."
        exit 1
    fi
# If not found and not using sudo (or SUDO_USER not set), then it just doesn't exist
elif [ ! -f "$USER_KANATA_CONFIG_SRC" ]; then
    echoerror "Kanata config file not found at: $USER_KANATA_CONFIG_SRC"
    echoerror "Please ensure the relative path '$KANATA_CONFIG_REL_PATH' exists in your home directory ($HOME)."
    exit 1
fi

# If we reach here, USER_KANATA_CONFIG_SRC holds the validated path to the source config file
echoinfo "Using source config file: $USER_KANATA_CONFIG_SRC"

echoinfo "Starting Kanata hardened setup..."

#========================
# STEP 1: Create User/Group
#========================
echoinfo "Creating group '$UINPUT_GROUP' (if it doesn't exist)..."
groupadd "$UINPUT_GROUP" || echoinfo "Group '$UINPUT_GROUP' likely already exists."

echoinfo "Creating user '$KANATA_USER' (if it doesn't exist)..."
useradd --system --no-create-home --groups input,"$UINPUT_GROUP" --shell /bin/false --user-group "$KANATA_USER" || echoinfo "User '$KANATA_USER' likely already exists."

#========================
# STEP 2: Prepare Config Directory & Copy Config
#========================
echoinfo "Creating directory /etc/kanata..."
mkdir -p /etc/kanata

echoinfo "Copying Kanata config from $USER_KANATA_CONFIG_SRC to $SYSTEM_KANATA_CONFIG_DST..."
cp "$USER_KANATA_CONFIG_SRC" "$SYSTEM_KANATA_CONFIG_DST"
if [ $? -ne 0 ]; then
    echoerror "Failed to copy config file. Please check permissions and paths."
    exit 1
fi

#========================
# STEP 3: Set Config Permissions
#========================
echoinfo "Setting permissions on $SYSTEM_KANATA_CONFIG_DST..."
chown root:"$KANATA_USER" "$SYSTEM_KANATA_CONFIG_DST"
chmod 640 "$SYSTEM_KANATA_CONFIG_DST"

#========================
# STEP 4: Create udev Rule
#========================
echoinfo "Creating udev rule for /dev/uinput..."
echo "KERNEL==\"uinput\", MODE=\"0660\", GROUP=\"$UINPUT_GROUP\", OPTIONS+=\"static_node=uinput\"" > /etc/udev/rules.d/50-kanata.rules

#========================
# STEP 5: Download and Install Kanata
#========================
KANATA_URL="https://github.com/jtroo/kanata/releases/download/${KANATA_VERSION}/kanata"
KANATA_BIN_PATH="/usr/local/bin/kanata"

echoinfo "Stopping kanata.service (if running) before download..."
systemctl stop kanata.service > /dev/null 2>&1 || true # Stop the service, ignore errors

echoinfo "Downloading Kanata ${KANATA_VERSION} from ${KANATA_URL}..."
# Use curl with -fSL to follow redirects, show errors, and fail silently on HTTP errors
curl -fSL -o "$KANATA_BIN_PATH" "$KANATA_URL"
if [ $? -ne 0 ]; then
    echoerror "Failed to download Kanata. Check URL or network connection."
    exit 1
fi

echoinfo "Setting permissions on ${KANATA_BIN_PATH}..."
chown root:"$KANATA_USER" "$KANATA_BIN_PATH"
chmod 754 "$KANATA_BIN_PATH"

#========================
# STEP 6: Create Systemd Service Unit
#========================
echoinfo "Creating systemd service file /etc/systemd/system/kanata.service..."
# Use cat with EOF for cleaner multi-line definition
cat << EOF > /etc/systemd/system/kanata.service
[Unit]
Description=Kanata keyboard remapper
Documentation=https://github.com/jtroo/kanata
Wants=modprobe@uinput.service
After=modprobe@uinput.service

[Service]
Type=simple
User=$KANATA_USER
Group=$KANATA_USER
ExecStart=$KANATA_BIN_PATH --quiet --cfg $SYSTEM_KANATA_CONFIG_DST
Restart=no
# Security
CapabilityBoundingSet=
DeviceAllow=/dev/uinput rw
DeviceAllow=char-input
DeviceAllow=/dev/stdin
DevicePolicy=strict
PrivateDevices=true
BindPaths=/dev/uinput
BindReadOnlyPaths=/dev/stdin
BindReadOnlyPaths=/dev/input/
InaccessiblePaths=/dev/shm
LockPersonality=true
NoNewPrivileges=true
PrivateTmp=true
PrivateNetwork=true
PrivateUsers=true
#ProtectClock=true # Disabled as per original example notes
ProtectHome=true
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectSystem=strict
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX # Allow only Unix sockets, deny others like network
RestrictNamespaces=true
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
RemoveIPC=true
IPAddressDeny=any
RestrictSUIDSGID=true
RestrictRealtime=true
MemoryDenyWriteExecute=true
UMask=0077

[Install]
WantedBy=multi-user.target
EOF

#========================
# STEP 7: Reload Systemd, Enable & Start Service
#========================
echoinfo "Reloading systemd daemon..."
systemctl daemon-reload

echoinfo "Enabling kanata.service..."
systemctl enable kanata.service

echoinfo "Starting/Restarting kanata.service..."
systemctl restart kanata.service

echoinfo "-----------------------------------------------------"
echoinfo "Kanata setup script finished!"
echoinfo "Please REBOOT your system for all changes (especially udev rules) to take effect properly."
echoinfo "After rebooting, check status with: systemctl status kanata.service"
echoinfo "-----------------------------------------------------"

exit 0

Hope this script helps simplify the setup for others.
Feedback and improvements are welcome!

[Artikool5]

Thank you!

This script assumes an Ubuntu/Debian-based system.

Seems to work on Arch too.

[slimhk45]

@ram-xv Can this script work on Fedora Atomic too? (Kinoite in my case)
This would cover the two most common distro families (Debian-based/Fedora-based).

Also would not it be better if the Kanata maintainers made your script (or a similar one) the official installation method on GNU/Linux? A hardened Kanata IS ESSENTIAL and it should be easy to install that way for all users.

[jtroo]

@slimhk45

Also would not it be better if the Kanata maintainers made your script (or a similar one) the official installation method on GNU/Linux?

1. Systemd is not GNU/Linux and there are other service management options
2. PRs are welcome if you want to put in the work

[omicron1100]

This script does not appear to work for me on CachyOS (based on Arch). I keep getting

kanata: [ERROR] Failed to open the output uinput device. Make sure you've added the user executing kanata to the `uinput` group
kanata: [ERROR] Permission denied (os error 13)`.
systemd: kanata.service: Main process exited, code=exited, status=1/FAILURE

[MedicodiBiscotti]

Small improvement:

This line: RestrictAddressFamilies=AF_UNIX # Allow only Unix sockets, deny others like network

Gives these errors in /var/log/syslog:

/etc/systemd/system/kanata.service:37: Failed to parse address family, ignoring: #
/etc/systemd/system/kanata.service:37: Failed to parse address family, ignoring: Allow
/etc/systemd/system/kanata.service:37: Failed to parse address family, ignoring: only
/etc/systemd/system/kanata.service:37: Failed to parse address family, ignoring: Unix
/etc/systemd/system/kanata.service:37: Failed to parse address family, ignoring: sockets,
/etc/systemd/system/kanata.service:37: Failed to parse address family, ignoring: deny
/etc/systemd/system/kanata.service:37: Failed to parse address family, ignoring: others
/etc/systemd/system/kanata.service:37: Failed to parse address family, ignoring: like
/etc/systemd/system/kanata.service:37: Failed to parse address family, ignoring: network

Put the comment above the RestrictAddressFamilies line. Same with #ProtectClock=true # Disabled as per original example notes technically.

[finem4n]

Hi,

I'm just wondering if there is any reason why both README.md and release notes point here and not to the docs/setup-linux.md.

[finn-e]

If you look up at this comment you'll see the four ways to set Kanata up to auto start. The guide only covers one way, they're all covered here. This information just needs to be moved into the docs.

[vereist]

If you've updated to systemd 258, you'll need to make a change to /etc/udev/rules.d/50-kanata.rules to have it properly assign the group and permissions to /dev/uinput

ACTION!="remove", KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput"

Adding the ACTION!="remove", is a workaround for a bug. You'll also need to have your kanata user and uinput group both be in the < 1000 UID/GID system range if you didn't originally create them as system accounts.

See also:
systemd/systemd#39043

[laur89]

@vereist good catch. But from what I can tell the addition of ACTION!="remove" is not needed as the udev rule described earlier in our thread does not define the problematic ACTION=="add" as mentioned e.g. in this systemd comment or this.

You'll also need to have your kanata user and uinput group both be in the < 1000 UID/GID system range if you didn't originally create them as system accounts

Could you please point us where this info is originating from and is that also a new(ish) requirement?

[vereist]

I feel like I'm taking crazy pills because without having the ACTION!="remove", it absolutely was not setting the permissions correctly on /dev/uinput. It was 0600 root:root. I believe that's because it wasn't executing the udev rule at all. That was part of the workaround in ValveSoftware/steam-devices@153caf2

But now, if I leave it at the previous KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput" it works. I double-checked a snapshot just to make sure that I hadn't broken something in the syntax. So, I don't know how to explain why it will work now.

As for the UID/GID stuff:

systemd-udevd ignores OWNER=/GROUP= settings with a non-system user/group specified in udev rules files, to avoid device nodes being owned by a non-system user/group. It is recommended to check udev rules files with 'udevadm verify' and/or 'udevadm test' commands if the specified user/group in OWNER=/GROUP= are valid. Similarly, systemd-networkd refuses User=/Group= settings with a non-system user/group specified in .netdev files for Tun/Tap
interfaces.

https://github.com/systemd/systemd/blob/main/NEWS

This broke for me a couple days ago. Joys of running arch, I suppose.

[laur89]

Dang, running v258 as well but didn't get news update from my pkg manager on install. Sounds like change like this should've been notified to users.

[srini-rg]

1. Edit the following as necessary, and save it as ~/.config/systemd/user/kanata.service

[Unit]
Description=Kanata keyboard remapper
Documentation=https://github.com/jtroo/kanata

[Service]
Environment=PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/bin
Environment=DISPLAY=:0
Environment=HOME=/path/to/home/folder
Type=simple
ExecStart=/usr/local/bin/kanata --cfg /path/to/kanata/config/file
Restart=never

[Install]
WantedBy=default.target

2. Run systemctl --user start kanata.service to start kanata daemon
3. Run systemctl --user enable kanata.service so it may autostart whenever the current user logs in.
4. Run systemctl --user status kanata.service to check if kanata daemon is running or not.

In response to @ibnishak , I have two things to say:

1. I had to change the kanata ownership to root to make the service to start.
2. Does the word "persecution" mean pampering?

[brtholomy]

For users of this hardened systemd unit, what you need to do for v258: delete the uinput group, recreate it with a system GID, add the kanata user to it, and refresh both udevadm and systemd/just reboot:

groupdel uinput
groupadd --system uinput
usermod -aG uinput kanata
reboot

Check that the group now has a <1000 GID with kanata as member and the virtual device has the right ownership:

grep uinput /etc/group
ls -l /dev/uinput

Should work without any change to the udev rule.

@ram-xv you may want to add the --system flag to your groupadd invocation in your script.

See #1798

[laur89]

So the kanata user itself doesn't need to be a system user -- only the group it'll belong in?

[brtholomy]

That's right. It's the udev rule that adds the /dev/uinput node that cares. Anyway it works on my machine:

# systemctl --version
systemd 258 (258-4-arch)

# id kanata
uid=1001(kanata) gid=1002(kanata) groups=1002(kanata),994(input),960(uinput)

[Martin1887]

What about the default service configuration in NixOS? It seems very hardened:

https://github.com/NixOS/nixpkgs/blob/nixos-25.05/nixos/modules/services/hardware/kanata.nix