git-echo/linux_patch_manager
Private
Public Access
1
0
Fork 0
Code Releases 8 Wiki Activity
Files
f797b97282f2a56f3cca25bfb78cbd9b95bab4ac
linux_patch_manager/systemd/patch-manager-web.service
git-echo 124b5b0e3b feat: add bump-version.sh script for version management 
Automates version bumps across all version source files:
- Cargo.toml (PRIMARY - workspace.package.version)
- debian/changelog (prepend new entry)
- debian/control (update Version field)
- scripts/build-package.sh (update VERSION variable)
- frontend/package.json (update version field)
- Stale references check after bump

Usage: ./scripts/bump-version.sh <new_version> <old_version>
2026-05-28 10:52:16 -05:00

62 lines
1.5 KiB
Desktop File
Raw Blame History

[Unit]
Description=Linux Patch Manager — Web Server
Documentation=https://gitea.moon-dragon.us/echo/linux_patch_manager
After=network-online.target postgresql.service
Wants=network-online.target
Requires=postgresql.service
PartOf=patch-manager.target
[Service]
Type=simple
User=patch-manager
Group=patch-manager
WorkingDirectory=/opt/patch-manager
# Configuration
Environment="PATCH_MANAGER_CONFIG=/etc/patch-manager/config.toml"
# Override individual settings via environment if needed:
# Environment="PATCH_MANAGER__DATABASE__URL=postgres://..."
ExecStart=/usr/local/bin/pm-web
# Restart policy — aggressive restart for production availability
Restart=always
RestartSec=5s
StartLimitIntervalSec=60
StartLimitBurst=5
# Timeouts
TimeoutStartSec=90s
TimeoutStopSec=30s
# Watchdog disabled — pm-web does not currently implement sd_notify
# WatchdogSec=120s
# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log/patch-manager /etc/patch-manager/ca /etc/patch-manager/certs /etc/patch-manager/tls /etc/patch-manager/jwt /usr/share/patch-manager/frontend
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictNamespaces=true
RestrictSUIDSGID=true
# Allow binding to port 443 without root
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
# File descriptor limits
LimitNOFILE=65536
# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=patch-manager-web
[Install]
WantedBy=multi-user.target
View Git Blame Copy Permalink