| 1 |
# Sando daemon systemd service |
| 2 |
# Place at /etc/systemd/system/sandod.service on the Sando host (fw13). |
| 3 |
# |
| 4 |
# Commands: |
| 5 |
# sudo systemctl daemon-reload |
| 6 |
# sudo systemctl enable sandod |
| 7 |
# sudo systemctl start sandod |
| 8 |
# sudo systemctl status sandod |
| 9 |
# journalctl -u sandod -f |
| 10 |
|
| 11 |
[Unit] |
| 12 |
Description=Sando deploy controller |
| 13 |
Documentation=https://github.com/maxjmath/MNW |
| 14 |
After=network.target postgresql.service |
| 15 |
Wants=postgresql.service |
| 16 |
|
| 17 |
[Service] |
| 18 |
Type=simple |
| 19 |
User=sando |
| 20 |
Group=sando |
| 21 |
WorkingDirectory=/srv/sando |
| 22 |
ExecStart=/usr/local/bin/sandod |
| 23 |
Restart=on-failure |
| 24 |
RestartSec=5 |
| 25 |
|
| 26 |
Environment=SANDO_CONFIG=/etc/sando/sando-daemon.toml |
| 27 |
Environment=PATH=/srv/sando/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin |
| 28 |
Environment=HOME=/srv/sando |
| 29 |
EnvironmentFile=-/etc/sando/sando.env |
| 30 |
|
| 31 |
# Security hardening. Sando needs ssh outbound, git over fs, postgres over |
| 32 |
# unix socket, and read/write on its own state dirs. |
| 33 |
NoNewPrivileges=true |
| 34 |
ProtectSystem=strict |
| 35 |
ProtectHome=true |
| 36 |
PrivateTmp=true |
| 37 |
ReadWritePaths=/srv/sando |
| 38 |
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 |
| 39 |
RestrictNamespaces=true |
| 40 |
RestrictRealtime=true |
| 41 |
RestrictSUIDSGID=true |
| 42 |
LockPersonality=true |
| 43 |
ProtectKernelTunables=true |
| 44 |
ProtectKernelModules=true |
| 45 |
ProtectControlGroups=true |
| 46 |
SystemCallArchitectures=native |
| 47 |
|
| 48 |
LimitNOFILE=65535 |
| 49 |
|
| 50 |
StandardOutput=journal |
| 51 |
StandardError=journal |
| 52 |
SyslogIdentifier=sandod |
| 53 |
|
| 54 |
[Install] |
| 55 |
WantedBy=multi-user.target |
| 56 |
|