left4me: emit left4me-web.service via systemd/units reactor

Translates left4me/deploy/files/usr/local/lib/systemd/system/left4me-web.service into a Python dict consumed by bundles/systemd/. Two changes vs. the shell-deploy unit: - --bind 0.0.0.0:8000 -> 127.0.0.1:8000 (nginx terminates TLS in front) - workers/threads are templated from left4me/gunicorn_{workers,threads} (defaults: 1 worker + 32 threads — same as the static unit)
2026-05-10 17:38:15 +02:00 · 2026-05-10 17:38:15 +02:00 · 6bf46ce9a4
commit 6bf46ce9a4
parent def010c976
1 changed files with 52 additions and 0 deletions
--- a/bundles/left4me/metadata.py
+++ b/bundles/left4me/metadata.py
@ -20,3 +20,55 @@ defaults = {
        },
    },
 }
+
+
+@metadata_reactor.provides(
+    'systemd/units',
+)
+def systemd_units(metadata):
+    workers = metadata.get('left4me/gunicorn_workers')
+    threads = metadata.get('left4me/gunicorn_threads')
+
+    web_service = {
+        'Unit': {
+            'Description': 'left4me web application',
+            'After': 'network-online.target',
+            'Wants': 'network-online.target',
+        },
+        'Service': {
+            'Type': 'simple',
+            'User': 'left4me',
+            'Group': 'left4me',
+            'WorkingDirectory': '/opt/left4me/src',
+            'Environment': {
+                'HOME=/var/lib/left4me',
+                'PATH=/opt/left4me/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+            },
+            'EnvironmentFile': {
+                '/etc/left4me/host.env',
+                '/etc/left4me/web.env',
+            },
+            'ExecStart': (
+                '/opt/left4me/.venv/bin/gunicorn '
+                f'--workers {workers} --threads {threads} '
+                "--bind 127.0.0.1:8000 'l4d2web.app:create_app()'"
+            ),
+            'Restart': 'on-failure',
+            'RestartSec': '3',
+            # NoNewPrivileges intentionally NOT set: workers sudo to the helpers.
+            'ProtectSystem': 'full',
+            'ReadWritePaths': '/var/lib/left4me',
+            'PrivateTmp': 'true',
+        },
+        'Install': {
+            'WantedBy': {'multi-user.target'},
+        },
+    }
+
+    return {
+        'systemd': {
+            'units': {
+                'left4me-web.service': web_service,
+            },
+        },
+    }