Fix known-hosts trust deadlock, host key stat, and optional nozstd build

- stdout logger: release mutex while waiting on pause resume so prompt
  callbacks can log (fixes hang after trusting new hosts; known_hosts
  was written but Resume never ran).
- known hosts callback: stop borrowing the SSH dial throttle channel
  (could block or interact badly with parallel handshakes).
- host key path: use errors.Is(..., fs.ErrNotExist) for RootedPath.Stat
  wrapped errors; stat errors now fail fast instead of mis-read.
- public key path: same ErrNotExist check for authorized_keys miss.
- Build: optional DTAIL_NO_ZSTD=yes / nozstd tag for CGO-free builds;
  split zstd readers into tagged files.
- Docs/examples: firewalld note for port 2222, log prune timer+script,
  SSHBindAddress note, dserver unit disabled-by-default comment;
  firewalld helper script example.
- Regression test for stdout pause/mutex behavior.

Made-with: Cursor

5 files changed, 50 insertions, 0 deletions

diff --git a/examples/dserver-prune-logs.service.example b/examples/dserver-prune-logs.service.example
new file mode 100644
index 0000000..8899487
--- /dev/null
+++ b/examples/dserver-prune-logs.service.example
@@ -0,0 +1,8 @@
+[Unit]
+Description=Delete dserver log files older than 7 days
+
+[Service]
+Type=oneshot
+User=dserver
+Group=dserver
+ExecStart=/var/run/dserver/prune_dserver_logs.sh
diff --git a/examples/dserver-prune-logs.timer.example b/examples/dserver-prune-logs.timer.example
new file mode 100644
index 0000000..2ec13b6
--- /dev/null
+++ b/examples/dserver-prune-logs.timer.example
@@ -0,0 +1,9 @@
+[Unit]
+Description=Daily cleanup of dserver logs older than 7 days
+
+[Timer]
+OnCalendar=daily
+RandomizedDelaySec=1800
+
+[Install]
+WantedBy=timers.target
diff --git a/examples/dserver.service.example b/examples/dserver.service.example
index c5e5e59..f299025 100644
--- a/examples/dserver.service.example
+++ b/examples/dserver.service.example
@@ -1,3 +1,5 @@
+# Installs disabled by default: do not run `systemctl enable dserver` unless you
+# want it at boot. Start manually with: sudo systemctl start dserver
 [Unit]
 Description=DTail server
 After=network.target
diff --git a/examples/firewalld-dserver-port.sh.example b/examples/firewalld-dserver-port.sh.example
new file mode 100644
index 0000000..f10ce08
--- /dev/null
+++ b/examples/firewalld-dserver-port.sh.example
@@ -0,0 +1,21 @@
+#!/bin/bash
+# Allow inbound TCP to dserver (default port 2222) when firewalld is used.
+# Run once on the server as root, or fold into your config management.
+
+set -euo pipefail
+
+PORT="${DTAIL_FIREWALL_PORT:-2222}"
+
+if ! command -v firewall-cmd >/dev/null 2>&1; then
+	echo "firewall-cmd not found; skip or configure your firewall manually." >&2
+	exit 0
+fi
+
+if ! firewall-cmd --state >/dev/null 2>&1; then
+	echo "firewalld not running; nothing to do." >&2
+	exit 0
+fi
+
+firewall-cmd --permanent "--add-port=${PORT}/tcp"
+firewall-cmd --reload
+echo "Opened ${PORT}/tcp. Current ports: $(firewall-cmd --list-ports)"
diff --git a/examples/prune_dserver_logs.sh.example b/examples/prune_dserver_logs.sh.example
new file mode 100644
index 0000000..56a68cd
--- /dev/null
+++ b/examples/prune_dserver_logs.sh.example
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+declare -r LOGDIR=/var/run/dserver/log
+
+if [ ! -d "$LOGDIR" ]; then
+	exit 0
+fi
+
+# Daily rotated logs: YYYYMMDD.log — remove files not modified in the last 7 days.
+/usr/bin/find "$LOGDIR" -type f -name '*.log' -mtime +7 -delete