git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity
Files
7a9fb1ac55d07c73798a33901c5bc06abaa127a4
linux_patch_api/configs/linux-patch-api.service
Echo b2ace87ee9 v0.2.0: Fix List Jobs bug, TLS 1.3 enforcement, client_disconnect_timeout, RwLock contention 
Bug fixes:
- Fix List Jobs connection reset: Add client_disconnect_timeout (5s) to prevent TLS write truncation
- Enforce TLS 1.3 only: Add with_protocol_versions(&[&TLS13]) to rustls ServerConfig
- Fix RwLock contention: Release read lock before sorting in list_jobs()
- Fix systemd service: Remove ProtectSystem=strict (blocks package management)
- Fix systemd service: Change Type=notify to Type=simple (fixes restart hangs)
- Fix systemd service: Add DEBIAN_FRONTEND=noninteractive
- Fix systemd service: Add ReadWritePaths for apt/dpkg paths

CI/CD:
- Add Ubuntu 22.04 build job to CI workflow

E2E Testing:
- Add comprehensive E2E test suite (test_e2e.py)
- Tests cover health, packages, patches, jobs, security, and reboot endpoints

Other:
- Bump version to 0.2.0
- Add lessons learned documentation
2026-05-02 20:59:02 +00:00

62 lines
1.5 KiB
Desktop File
Raw Blame History

[Unit]
Description=Linux Patch API - Secure Remote Package Management
Documentation=man:linux-patch-api(8)
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
NotifyAccess=all
ExecStart=/usr/bin/linux-patch-api --config /etc/linux_patch_api/config.yaml
Restart=on-failure
RestartSec=5s
TimeoutStopSec=30s
# Process management
RuntimeDirectory=linux-patch-api
RuntimeDirectoryMode=0755
# Security hardening
NoNewPrivileges=true
# ProtectSystem removed - package management requires write access to /usr, /etc, /lib
# Network security provided by mTLS + IP whitelist
ProtectHome=true
# ReadWritePaths kept as documentation reference for apt/dpkg paths
ReadWritePaths=/var/lib/linux_patch_api /var/log/linux_patch_api /var/cache/apt /var/lib/apt /var/lib/dpkg /var/log/apt
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=false
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
# System call filtering (whitelist approach)
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
# Environment
Environment="RUST_BACKTRACE=1"
Environment="DEBIAN_FRONTEND=noninteractive"
Environment="RUST_LOG=info"
# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=linux-patch-api
SyslogFacility=daemon
SyslogLevel=info
# Resource limits
LimitNOFILE=65536
LimitNPROC=4096
[Install]
WantedBy=multi-user.target
View Git Blame Copy Permalink