tenseleyflow/shithub / 0dd44ce

Browse files

S37: systemd units (web/worker/cron + timer)

Authored by espadonne
SHA
0dd44ceb712a6a348184dea0e7aa0216364f807f
Parents
82c7a0b
Tree
4163888

4 changed files

StatusFile+-
A deploy/systemd/shithubd-cron.service 15 0
A deploy/systemd/shithubd-cron.timer 13 0
A deploy/systemd/shithubd-web.service 41 0
A deploy/systemd/shithubd-worker.service 32 0
deploy/systemd/shithubd-cron.serviceadded
@@ -0,0 +1,15 @@
1
+[Unit]
2
+Description=shithub periodic housekeeping (sweeps + purges)
3
+After=network-online.target postgresql.service
4
+
5
+[Service]
6
+Type=oneshot
7
+User=shithub
8
+Group=shithub
9
+EnvironmentFile=/etc/shithub/worker.env
10
+# Each subcommand is idempotent; we kick the canonical sweeps.
11
+# lifecycle:sweep was deferred from S16 — past-grace hard-deletes
12
+# + transfer expiry; the worker pool runs it on cron tick.
13
+ExecStart=/usr/local/bin/shithubd admin run-job lifecycle:sweep
14
+ExecStart=/usr/local/bin/shithubd admin run-job jobs:purge_completed
15
+ExecStart=/usr/local/bin/shithubd admin run-job webhook:purge_old
deploy/systemd/shithubd-cron.timeradded
@@ -0,0 +1,13 @@
1
+[Unit]
2
+Description=shithub periodic housekeeping timer
3
+
4
+[Timer]
5
+# Every hour at :07 — odd minute keeps it off shared-hour boundaries.
6
+OnCalendar=hourly
7
+# Run once at boot, ~5min in, so a fresh deploy doesn't wait an hour.
8
+OnBootSec=5min
9
+Persistent=true
10
+Unit=shithubd-cron.service
11
+
12
+[Install]
13
+WantedBy=timers.target
deploy/systemd/shithubd-web.serviceadded
@@ -0,0 +1,41 @@
1
+[Unit]
2
+Description=shithub web server
3
+After=network-online.target postgresql.service
4
+Wants=network-online.target
5
+Requires=postgresql.service
6
+
7
+[Service]
8
+Type=simple
9
+User=shithub
10
+Group=shithub
11
+EnvironmentFile=/etc/shithub/web.env
12
+# Run pending migrations BEFORE starting. ExecStartPre failure
13
+# prevents the unit from starting (correct behavior for a bad
14
+# migration). Recovery is documented in runbooks/upgrade.md.
15
+ExecStartPre=/usr/local/bin/shithubd migrate up
16
+ExecStart=/usr/local/bin/shithubd web
17
+Restart=on-failure
18
+RestartSec=2
19
+LimitNOFILE=65535
20
+
21
+# Hardening — match systemd-analyze security defaults where they
22
+# don't conflict with the app's needs (writes to data root, opens
23
+# port 8080).
24
+NoNewPrivileges=yes
25
+ProtectSystem=strict
26
+ProtectHome=yes
27
+PrivateTmp=yes
28
+ReadWritePaths=/data /var/lib/shithub
29
+ProtectKernelTunables=yes
30
+ProtectKernelModules=yes
31
+ProtectKernelLogs=yes
32
+ProtectControlGroups=yes
33
+RestrictNamespaces=yes
34
+RestrictRealtime=yes
35
+RestrictSUIDSGID=yes
36
+LockPersonality=yes
37
+MemoryDenyWriteExecute=yes
38
+SystemCallArchitectures=native
39
+
40
+[Install]
41
+WantedBy=multi-user.target
deploy/systemd/shithubd-worker.serviceadded
@@ -0,0 +1,32 @@
1
+[Unit]
2
+Description=shithub background worker pool
3
+After=network-online.target postgresql.service shithubd-web.service
4
+Wants=network-online.target
5
+Requires=postgresql.service
6
+
7
+[Service]
8
+Type=simple
9
+User=shithub
10
+Group=shithub
11
+EnvironmentFile=/etc/shithub/worker.env
12
+ExecStart=/usr/local/bin/shithubd worker
13
+Restart=on-failure
14
+RestartSec=2
15
+LimitNOFILE=65535
16
+
17
+NoNewPrivileges=yes
18
+ProtectSystem=strict
19
+ProtectHome=yes
20
+PrivateTmp=yes
21
+ReadWritePaths=/data /var/lib/shithub
22
+ProtectKernelTunables=yes
23
+ProtectKernelModules=yes
24
+ProtectKernelLogs=yes
25
+ProtectControlGroups=yes
26
+RestrictNamespaces=yes
27
+RestrictRealtime=yes
28
+RestrictSUIDSGID=yes
29
+LockPersonality=yes
30
+
31
+[Install]
32
+WantedBy=multi-user.target