josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6ce95547f4e00ce4814980e6813ffc78c0712192
Vetting/deploy/vetting.service
T
josh 273e7593bc
CI / Lint + build + test (push) Failing after 5m17s
Details
Fix LXC deploy: absolute paths + systemd section for StartLimit 
Service was crashing on every boot because vetting.example.yaml uses
./var/... relative paths that resolve to / under ProtectSystem=strict.
Ship a separate vetting.production.yaml with absolute /var/lib/vetting
+ /var/log/vetting paths that match the unit's ReadWritePaths, and
have install.sh copy that one. Also move StartLimit* keys into [Unit]
to silence the 'Unknown key' warning on modern systemd.
2026-04-17 22:02:03 -04:00

54 lines
1.8 KiB
Desktop File
Raw Blame History

[Unit]
Description=Vetting orchestrator (post-repair hardware validation)
Documentation=https://gitea.thewrightserver.net/josh/Vetting
After=network-online.target
Wants=network-online.target
StartLimitBurst=5
StartLimitIntervalSec=60
[Service]
Type=simple
User=vetting
Group=vetting
ExecStart=/usr/local/bin/vetting --config /etc/vetting/vetting.yaml
# The orchestrator embeds dnsmasq and sends raw WoL broadcasts. Rather
# than run as root, grant just the caps we need:
# CAP_NET_BIND_SERVICE — if the operator binds :443 or :80
# CAP_NET_RAW — WoL magic packet via DGRAM broadcast; not
# strictly required when using UDP broadcast to
# 255.255.255.255 on port 9, but safer to carry
# so custom ports work.
# CAP_NET_ADMIN — dnsmasq needs this to create the DHCP socket
# and to bind to a specific interface.
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN
# Filesystem: the orchestrator needs to write to /var/lib/vetting and
# /var/log/vetting. Everything else is read-only.
ReadWritePaths=/var/lib/vetting /var/log/vetting
ProtectSystem=strict
ProtectHome=true
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelModules=true
RestrictSUIDSGID=true
RestrictNamespaces=true
LockPersonality=true
# Restart policy — crash out loudly on startup errors, but recover from
# transient failures. (StartLimit* lives under [Unit] in modern systemd.)
Restart=on-failure
RestartSec=5
# Logs go to journald; the orchestrator's own per-run log files live
# under /var/log/vetting regardless.
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink