Echo
297bf1bd83
M11 - Email Notifications + Audit Logging Hardening: - Email notifier (lettre crate) with templates for patch failure, job completion, maintenance reminders - Audit log hash chaining (prev_hash + row_hash) for tamper-evident logging - Periodic + on-demand audit integrity verification - Audit logging for all config changes and certificate operations - Frontend: email settings integration, audit integrity verification action M12 - Deployment Packaging, Backup/DR, Integration Testing: - scripts/backup.sh: Nightly pg_dump, CA backup (GPG), config backup (secrets excluded unless encrypted) - scripts/setup.sh: Enhanced with backup dir, seed migration, backup cron, systemd target install - systemd units: Restart=always, WatchdogSec, ReadWritePaths, security hardening - systemd/patch-manager.target: Service target for coordinated lifecycle - docs/runbooks/restore.md: Full DR runbook with RPO 24h / RTO 4h targets - scripts/integration-test.sh: 9 test suites covering full API lifecycle - scripts/performance-test.sh: NFR validation (dashboard <5s, CIDR /22 <10s, API <2s) - docs/security-review.md: Comprehensive security control verification - docs/compliance-mapping.md: HIPAA (6 sections) + PCI-DSS v4.0 (9 requirements) mapped
62 lines
1.5 KiB
Desktop File
62 lines
1.5 KiB
Desktop File
[Unit]
|
|
Description=Linux Patch Manager — Web Server
|
|
Documentation=https://gitea.moon-dragon.us/echo/linux_patch_manager
|
|
After=network-online.target postgresql.service
|
|
Wants=network-online.target
|
|
Requires=postgresql.service
|
|
PartOf=patch-manager.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=patch-manager
|
|
Group=patch-manager
|
|
WorkingDirectory=/opt/patch-manager
|
|
|
|
# Configuration
|
|
Environment="PATCH_MANAGER_CONFIG=/etc/patch-manager/config.toml"
|
|
# Override individual settings via environment if needed:
|
|
# Environment="PATCH_MANAGER__DATABASE__URL=postgres://..."
|
|
|
|
ExecStart=/usr/local/bin/pm-web
|
|
|
|
# Restart policy — aggressive restart for production availability
|
|
Restart=always
|
|
RestartSec=5s
|
|
StartLimitIntervalSec=60
|
|
StartLimitBurst=5
|
|
|
|
# Timeouts
|
|
TimeoutStartSec=90s
|
|
TimeoutStopSec=30s
|
|
|
|
# Watchdog — pm-web must report health within this interval
|
|
WatchdogSec=120s
|
|
|
|
# Security hardening
|
|
NoNewPrivileges=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
ReadWritePaths=/var/log/patch-manager /etc/patch-manager/ca /etc/patch-manager/certs /etc/patch-manager/tls /etc/patch-manager/jwt /usr/share/patch-manager/frontend
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
RestrictNamespaces=true
|
|
RestrictSUIDSGID=true
|
|
|
|
# Allow binding to port 443 without root
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
|
|
# File descriptor limits
|
|
LimitNOFILE=65536
|
|
|
|
# Logging
|
|
StandardOutput=journal
|
|
StandardError=journal
|
|
SyslogIdentifier=patch-manager-web
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|