Arlind
6f656b7121
Recon of the live box (Ubuntu 24.04 x86_64, nginx 1.24, certbot 2.9) showed established conventions from the existing fenja / bifrost-customer services. Match them so the portal looks like a first-class citizen: - service runs as the existing `fenja` user, journald logging + full hardening block (ProtectKernelModules, LockPersonality), ExecStart on /usr/bin/node (box upgraded globally to Node 22) - code in /opt/bifrost-portal, in-dir .env (EnvironmentFile), data under the shared /opt/fenja/data/bifrost-portal (ReadWritePaths) - nginx: 1.24 `listen ... ssl http2` syntax, certbot options-ssl-nginx + dhparam includes, server_tokens off, sites-available/bifrost-portal (no .conf) symlinked; 12m body size for photo uploads; port 4322 (free) - deploy.sh / backup.sh point at the new paths - DEPLOY.md rewritten as a server-specific runbook incl. the global Node 22 upgrade + retest of the existing apps, and pnpm via corepack Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
49 lines
1.7 KiB
Desktop File
49 lines
1.7 KiB
Desktop File
# ─────────────────────────────────────────────────────────────
|
|
# Systemd unit for the Bifrost portal (bifrost-portal.fenja.ai).
|
|
# Mirrors the conventions of the existing fenja.service / bifrost-customer.service
|
|
# on this box: runs as the `fenja` user, logs to journald, writes only to
|
|
# /opt/fenja/data. Astro SSR standalone server (dist/server/entry.mjs).
|
|
#
|
|
# Install to: /etc/systemd/system/bifrost-portal.service
|
|
#
|
|
# sudo cp deploy/bifrost-portal.service /etc/systemd/system/bifrost-portal.service
|
|
# sudo systemctl daemon-reload
|
|
# sudo systemctl enable --now bifrost-portal
|
|
# sudo systemctl status bifrost-portal
|
|
# sudo journalctl -u bifrost-portal -f
|
|
# ─────────────────────────────────────────────────────────────
|
|
|
|
[Unit]
|
|
Description=Bifrost portal (Astro SSR)
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=fenja
|
|
Group=fenja
|
|
WorkingDirectory=/opt/bifrost-portal
|
|
EnvironmentFile=/opt/bifrost-portal/.env
|
|
ExecStart=/usr/bin/node /opt/bifrost-portal/dist/server/entry.mjs
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
|
|
# stdout / stderr → journald
|
|
StandardOutput=journal
|
|
StandardError=journal
|
|
SyslogIdentifier=bifrost-portal
|
|
|
|
# ─── Hardening (matches the other Fenja units) ───
|
|
NoNewPrivileges=true
|
|
PrivateTmp=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
RestrictSUIDSGID=true
|
|
LockPersonality=true
|
|
# Only the shared data dir is writable (db, uploads, backups live here)
|
|
ReadWritePaths=/opt/fenja/data
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|