From 6bf46ce9a426765fcaf1985617a7dcbedbfd09da Mon Sep 17 00:00:00 2001
From: CroneKorkN <i@ckn.li>
Date: Sun, 10 May 2026 17:38:15 +0200
Subject: [PATCH] left4me: emit left4me-web.service via systemd/units reactor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Translates left4me/deploy/files/usr/local/lib/systemd/system/left4me-web.service
into a Python dict consumed by bundles/systemd/. Two changes vs. the
shell-deploy unit:
  - --bind 0.0.0.0:8000 -> 127.0.0.1:8000 (nginx terminates TLS in front)
  - workers/threads are templated from left4me/gunicorn_{workers,threads}
    (defaults: 1 worker + 32 threads — same as the static unit)
---
 bundles/left4me/metadata.py | 52 +++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/bundles/left4me/metadata.py b/bundles/left4me/metadata.py
index 327db22..fa474b7 100644
--- a/bundles/left4me/metadata.py
+++ b/bundles/left4me/metadata.py
@@ -20,3 +20,55 @@ defaults = {
         },
     },
 }
+
+
+@metadata_reactor.provides(
+    'systemd/units',
+)
+def systemd_units(metadata):
+    workers = metadata.get('left4me/gunicorn_workers')
+    threads = metadata.get('left4me/gunicorn_threads')
+
+    web_service = {
+        'Unit': {
+            'Description': 'left4me web application',
+            'After': 'network-online.target',
+            'Wants': 'network-online.target',
+        },
+        'Service': {
+            'Type': 'simple',
+            'User': 'left4me',
+            'Group': 'left4me',
+            'WorkingDirectory': '/opt/left4me/src',
+            'Environment': {
+                'HOME=/var/lib/left4me',
+                'PATH=/opt/left4me/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+            },
+            'EnvironmentFile': {
+                '/etc/left4me/host.env',
+                '/etc/left4me/web.env',
+            },
+            'ExecStart': (
+                '/opt/left4me/.venv/bin/gunicorn '
+                f'--workers {workers} --threads {threads} '
+                "--bind 127.0.0.1:8000 'l4d2web.app:create_app()'"
+            ),
+            'Restart': 'on-failure',
+            'RestartSec': '3',
+            # NoNewPrivileges intentionally NOT set: workers sudo to the helpers.
+            'ProtectSystem': 'full',
+            'ReadWritePaths': '/var/lib/left4me',
+            'PrivateTmp': 'true',
+        },
+        'Install': {
+            'WantedBy': {'multi-user.target'},
+        },
+    }
+
+    return {
+        'systemd': {
+            'units': {
+                'left4me-web.service': web_service,
+            },
+        },
+    }