8f30dd7754
Janitorial item 6 in 2026-05-15-janitorial-cleanup.md. The v1 sandbox design (2026-05-08-l4d2-script-overlays-design.md) was approved 2026-05-08 and superseded the same day by the v2 systemd-only design (2026-05-08-l4d2-script-sandbox-v2-systemd.md). The current left4me-script-sandbox helper uses systemd-run in service-unit mode; no bwrap binary is invoked. The v1 spec still described bubblewrap as the engine. - v1 spec gets a top-of-file banner pointing at v2 as the supersede. Body preserved; the rest of the v1 design (overlay-type unification, resource caps, helper auth) is still valid — only the sandbox engine changed. - l4d2web/services/overlay_builders.py: ScriptBuilder docstring "bubblewrap + systemd-run" → "hardened systemd-run transient service" (the as-built reality). - scripts/tests/test_script_sandbox.py: stray "/bwrap" in a comment cleaned up. Negative regression assertions (`assert "bwrap" not in text`) intentionally retained as the guard against accidental re-introduction. - Plan docs left untouched (historical action snapshots). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| alembic | ||
| routes | ||
| services | ||
| static | ||
| templates | ||
| tests | ||
| __init__.py | ||
| alembic.ini | ||
| app.py | ||
| auth.py | ||
| cli.py | ||
| config.py | ||
| db.py | ||
| models.py | ||
| pyproject.toml | ||
| README.md | ||
l4d2-web-app
Flask web app for managing L4D2 servers through user-private blueprints.
Key v1 behaviors
- Local username/password login; no public signup
- Admin-managed overlay catalog
- Private blueprints per user
- Server creation from blueprints (live-linked; no per-server blueprint overrides)
- Async job model with persisted command logs in
job_logs - Desired vs actual state model
- Live logs for jobs and servers via SSE endpoints
- Host operations go through
l4d2ctlvia a local host command runner, not directl4d2hostimports
Frontend constraints
- Server-rendered templates (Jinja)
- Vendored HTMX (
static/vendor/htmx.min.js) - Custom CSS only
- Tokenized, consistent link and accent colors
Development
python3 -m venv .venv
.venv/bin/pip install -e .
.venv/bin/pytest tests -q
Configuration
The web app reads these settings from the environment:
DATABASE_URL: SQLAlchemy database URL, for examplesqlite:////var/lib/left4me/left4me.db.SECRET_KEY: Flask secret key used for sessions and CSRF-sensitive state.JOB_WORKER_THREADS: number of background job worker threads.
In the systemd deployment, environment is loaded from /etc/left4me/host.env and /etc/left4me/web.env.
Admin Bootstrap
Create the first admin account with the Flask CLI. Provide the password through LEFT4ME_ADMIN_PASSWORD:
LEFT4ME_ADMIN_PASSWORD='change-me' flask create-user <username> --admin