Files
fabula-ultima-html/server/share-svc.service
Drew Malzahn 410eb3a5a8 chore: Add deploy plumbing for the share service
Add a hardened systemd unit, a Caddy reverse-proxy snippet that maps
/fabula/api/* to the loopback service, and Justfile build-server/
deploy-server recipes that build a static binary and ship + restart it.
Includes server/README documenting the API, config, and deploy steps.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 02:01:37 +00:00

36 lines
910 B
Desktop File

[Unit]
Description=Fabula Ultima share-link service
Documentation=https://git.illaoi.pro/drew/fabula-ultima-html
After=network-online.target
Wants=network-online.target
[Service]
ExecStart=/usr/local/bin/share-svc
# Bind to loopback only; Caddy reverse-proxies public traffic to it.
Environment=ADDR=127.0.0.1:8090
Environment=DB_PATH=/var/lib/share-svc/shares.db
Restart=on-failure
RestartSec=2
# Run as an ephemeral, unprivileged user. StateDirectory creates and chowns
# /var/lib/share-svc so the SQLite file persists across restarts.
DynamicUser=yes
StateDirectory=share-svc
# Hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
[Install]
WantedBy=multi-user.target