| 1 |
# Bento app-build controller (bentod) — systemd USER service under the operator. |
| 2 |
# |
| 3 |
# bentod is a user service (not system) because it builds the apps and so needs |
| 4 |
# the operator's environment directly: SSH keys to the tailnet build hosts + the |
| 5 |
# mbp ops-agent, the app checkouts under ~/Code/Apps, and the _private layer for |
| 6 |
# signing secrets (secrets_root). A hardened system user can't reach those. |
| 7 |
# |
| 8 |
# Install (one-time, no sudo except enable-linger): |
| 9 |
# mkdir -p ~/.config/systemd/user |
| 10 |
# install -m 0644 bentod.service ~/.config/systemd/user/ |
| 11 |
# loginctl enable-linger "$USER" # keep it running across logout/reboot |
| 12 |
# systemctl --user daemon-reload |
| 13 |
# systemctl --user enable --now bentod |
| 14 |
# |
| 15 |
# Watch: journalctl --user -u bentod -f |
| 16 |
# Deploy a new bentod: build, copy to ~/.local/bin/bentod, `systemctl --user |
| 17 |
# restart bentod` (no sudo — that's the point of a user service). |
| 18 |
[Unit] |
| 19 |
Description=Bento app build controller |
| 20 |
After=network-online.target |
| 21 |
Wants=network-online.target |
| 22 |
|
| 23 |
[Service] |
| 24 |
Type=simple |
| 25 |
ExecStart=%h/.local/bin/bentod |
| 26 |
Restart=on-failure |
| 27 |
RestartSec=5 |
| 28 |
Environment=BENTO_CONFIG=%h/.config/bento/bento-daemon.toml |
| 29 |
# Loopback bind (default) needs no token. For a tailnet bind, set listen to the |
| 30 |
# tailnet IP in bento-daemon.toml AND provide BENTO_API_TOKEN here, e.g.: |
| 31 |
# EnvironmentFile=-%h/.config/bento/bento.env # contains BENTO_API_TOKEN=... |
| 32 |
StandardOutput=journal |
| 33 |
StandardError=journal |
| 34 |
SyslogIdentifier=bentod |
| 35 |
|
| 36 |
[Install] |
| 37 |
WantedBy=default.target |
| 38 |
|