chore: Add deploy plumbing for the share service
Add a hardened systemd unit, a Caddy reverse-proxy snippet that maps /fabula/api/* to the loopback service, and Justfile build-server/ deploy-server recipes that build a static binary and ship + restart it. Includes server/README documenting the API, config, and deploy steps. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
35
server/share-svc.service
Normal file
35
server/share-svc.service
Normal file
@@ -0,0 +1,35 @@
|
||||
[Unit]
|
||||
Description=Fabula Ultima share-link service
|
||||
Documentation=https://git.illaoi.pro/drew/fabula-ultima-html
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/local/bin/share-svc
|
||||
# Bind to loopback only; Caddy reverse-proxies public traffic to it.
|
||||
Environment=ADDR=127.0.0.1:8090
|
||||
Environment=DB_PATH=/var/lib/share-svc/shares.db
|
||||
Restart=on-failure
|
||||
RestartSec=2
|
||||
|
||||
# Run as an ephemeral, unprivileged user. StateDirectory creates and chowns
|
||||
# /var/lib/share-svc so the SQLite file persists across restarts.
|
||||
DynamicUser=yes
|
||||
StateDirectory=share-svc
|
||||
|
||||
# Hardening
|
||||
NoNewPrivileges=yes
|
||||
ProtectSystem=strict
|
||||
ProtectHome=yes
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectControlGroups=yes
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user