# Privileged self-update unit for the Sando controller.
#
# Instance name = the target git sha, e.g. `sando-update@<40-hex>.service`.
# Triggered by sandod's POST /self-update (the sando user is authorized to
# start this template by the polkit rule 10-sando-update.rules) — sandod itself
# runs unprivileged and cannot install a binary or restart its own service.
#
# Install (one-time, as root):
#   sudo install -m 0755 sando-self-update.sh /usr/local/lib/sando/sando-self-update.sh
#   sudo install -m 0644 sando-update@.service /etc/systemd/system/
#   sudo install -m 0644 10-sando-update.rules /etc/polkit-1/rules.d/
#   sudo systemctl daemon-reload
#
# Watch a run:  journalctl -u sando-update@<sha> -f
[Unit]
Description=Sando controller self-update to %i
# Don't tear sandod down underneath an in-flight job needlessly; ordering only.
After=network-online.target

[Service]
Type=oneshot
# Root: the build drops to the sando user internally; install + restart need root.
ExecStart=/usr/local/lib/sando/sando-self-update.sh %i
# Inherit the operator-set knobs (upstream URL, build user, paths) if present.
EnvironmentFile=-/etc/sando/sando.env
TimeoutStartSec=1800
StandardOutput=journal
StandardError=journal
SyslogIdentifier=sando-update