46 lines
1.3 KiB
Desktop File
46 lines
1.3 KiB
Desktop File
# ─────────────────────────────────────────────────────────────
|
|
# Systemd unit for project-bifrost.
|
|
#
|
|
# Install to: /etc/systemd/system/fenja.service
|
|
#
|
|
# sudo cp deploy/fenja.service /etc/systemd/system/fenja.service
|
|
# sudo systemctl daemon-reload
|
|
# sudo systemctl enable --now fenja
|
|
# sudo systemctl status fenja
|
|
# sudo journalctl -u fenja -f # live tail of logs
|
|
# ─────────────────────────────────────────────────────────────
|
|
|
|
[Unit]
|
|
Description=Fenja AI (project-bifrost)
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=fenja
|
|
Group=fenja
|
|
WorkingDirectory=/opt/fenja
|
|
EnvironmentFile=/opt/fenja/.env
|
|
ExecStart=/usr/bin/node server.js
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
|
|
# stdout / stderr → journald
|
|
StandardOutput=journal
|
|
StandardError=journal
|
|
SyslogIdentifier=fenja
|
|
|
|
# ─── Hardening ───
|
|
NoNewPrivileges=true
|
|
PrivateTmp=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
RestrictSUIDSGID=true
|
|
LockPersonality=true
|
|
# Only these paths are writable
|
|
ReadWritePaths=/opt/fenja/data
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|