From 03e06738a00cdd752c64735daedd836b83d4c9de 2023-11-23 23:01:34 From: Ben Sturmfels Date: 2023-11-23 23:01:34 Subject: [PATCH] Add conservancy-www-db.service to repository, document Systemd services --- diff --git a/TODO.md b/TODO.md index f0379336662ad3b1b24dc15054d6eb7a26c86621..24cdc48c9eebfde6641d91bd7331f091aef66f8b 100644 --- a/TODO.md +++ b/TODO.md @@ -1,6 +1,6 @@ # To-do -* consider running the /etc/systemd/system/conservancy-www-db.service on a timer so it doesn't require an Apache restart (and brief outage) - document this service too +* consider running the /etc/systemd/system/conservancy-www-db.service on a timer so it doesn't require an Apache restart (and brief outage) * use `` elements for supporter page hidden sections, rather than complex jQuery - or consider Alpine.js * replace `internalNavigate` with inline flexbox layout * migrate to Django 4.2 diff --git a/systemd/README.md b/systemd/README.md index 68584325e8f596d9bfb8ee01ede4e8725efbbf52..01d81e5fcbebb6fbda7c63c57bbdd7f320fa4180 100644 --- a/systemd/README.md +++ b/systemd/README.md @@ -1,12 +1,20 @@ -Install with: +# SystemD services + +## Installing + +Install all SystemD services with: cp systemd/conservancy-www-*.{service,timer} /etc/systemd/system systemctl enable conservancy-www-cleanup.service systemctl start conservancy-www-cleanup.service systemctl enable conservancy-www-update.timer systemctl start conservancy-www-update.timer + systemctl enable conservancy-www-db.service + + +## Website updates -Monitor with: +Monitor the website update service with: systemctl list-timers --all journalctl --catalog --follow --unit conservancy-www-update.service @@ -17,3 +25,10 @@ Updates will fail unless `/var/www/website` has a git upstream, so set that with git branch --set-upstream-to=upstream/master master Note that the update script does not run `migrate`. + + +## Fundraiser/sustainer database updates + +The `conservancy-www-db.service` applies SQL updates to the website +database. These include the fundraising total and sustainers to be publicly +acknowledged. diff --git a/systemd/conservancy-www-cleanup.service b/systemd/conservancy-www-cleanup.service index fe40af75b03b0624c6a1c935ca081700a9f49e28..5ad0a5603c7c6dff0048466c6a893d7de64bbd88 100644 --- a/systemd/conservancy-www-cleanup.service +++ b/systemd/conservancy-www-cleanup.service @@ -1,3 +1,5 @@ +# Remove old Django login sessions. + [Unit] Description=Cleanup Conservancy website Before=apache2.service diff --git a/systemd/conservancy-www-db.service b/systemd/conservancy-www-db.service new file mode 100644 index 0000000000000000000000000000000000000000..a6ff38ef6b57483841185e41138628055e0d370e --- /dev/null +++ b/systemd/conservancy-www-db.service @@ -0,0 +1,28 @@ +# Update the fundraiser total/sustainer list from an SQL file on Apache restart. + +[Unit] +Description=Update Conservancy website database +Before=apache2.service + +[Service] +Type=oneshot +User=www-data +ExecStart=/usr/bin/sqlite3 -bail /var/lib/www/database/conservancy-website.sqlite3 ".timeout 30000" "BEGIN TRANSACTION;" ".read /home/debian/django-supporters-list.sql" "COMMIT;" + +SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete +CapabilityBoundingSet= +NoNewPrivileges=true + +PrivateDevices=true +PrivateNetwork=true +PrivateTmp=true +PrivateUsers=false +ProtectControlGroups=true +ProtectHome=read-only +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadWritePaths=/var/lib/www/database + +[Install] +WantedBy=apache2.service diff --git a/systemd/conservancy-www-update.service b/systemd/conservancy-www-update.service index 5ccaca8498457d48098c65438e7c4a6744f6ef4a..e1d5b1821157f8db412f9710665f0d58961aa595 100644 --- a/systemd/conservancy-www-update.service +++ b/systemd/conservancy-www-update.service @@ -1,3 +1,5 @@ +# Run the website update script (see also: conservancy-www-update.timer). + [Unit] Description=Update Conservancy website checkout diff --git a/systemd/conservancy-www-update.sh b/systemd/conservancy-www-update.sh index 9f8db9eea1dcb02ce93ff24c2397a198d63c9a00..d059a8d281f55ea724adc68c59c95688e7f6822f 100755 --- a/systemd/conservancy-www-update.sh +++ b/systemd/conservancy-www-update.sh @@ -1,5 +1,10 @@ #!/bin/sh +# Pull in and apply Conservancy website updates from the git repository. +# +# This is intended to be run on a timer. Note that it does *not* restart the +# Django application or run the migrate and collectstatic commands. + set -e set -u set -x