e9c172a619
Hardening directives leave the base unit body and live in: deploy/files/etc/systemd/system/left4me-web.service.d/10-hardening.conf deploy/files/etc/systemd/system/left4me-server@.service.d/10-hardening.conf Reference units now describe just the base operational shape (exec, env, restart, resources). Tests split: base-unit content and hardening profile are asserted separately. Part of 2026-05-15-deployment-responsibility-design.md migration step 2. ckn-bw lands the matching reactor surgery + symlink delivery.
37 lines
1.3 KiB
Desktop File
37 lines
1.3 KiB
Desktop File
# left4me web application — system unit.
|
|
#
|
|
# This is the REFERENCE COPY of the deployed unit base body. The live
|
|
# source is the systemd/units reactor at
|
|
# ~/Projekte/ckn-bw/bundles/left4me/metadata.py (look for
|
|
# 'left4me-web.service').
|
|
#
|
|
# Hardening: see left4me-web.service.d/10-hardening.conf
|
|
#
|
|
# Threat model + defenses + tests: see docs/superpowers/specs/2026-05-15-hardening-*
|
|
|
|
[Unit]
|
|
Description=left4me web application
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=left4me
|
|
Group=left4me
|
|
WorkingDirectory=/opt/left4me/src
|
|
Environment=HOME=/var/lib/left4me PATH=/var/lib/left4me/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
|
EnvironmentFile=/etc/left4me/host.env
|
|
EnvironmentFile=/etc/left4me/web.env
|
|
# Placeholder values for --workers / --threads. Live emission interpolates
|
|
# from metadata.get('left4me/gunicorn_workers') and gunicorn_threads.
|
|
ExecStart=/var/lib/left4me/.venv/bin/gunicorn --workers 1 --threads 32 --bind 127.0.0.1:8000 'l4d2web.app:create_app()'
|
|
Restart=on-failure
|
|
RestartSec=3
|
|
|
|
# Web writes broadly under /var/lib/left4me (DB, instance configs,
|
|
# overlays, runtime). Kept inline because it's web-specific
|
|
# (server@ uses BindPaths to bind only its instance dir).
|
|
ReadWritePaths=/var/lib/left4me
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|