Kyle Isom
b0afe3b993
- Rename dist/ -> deploy/ with subdirs examples/, scripts/, systemd/ per standard repository layout - Update .gitignore: gitignore all of dist/ (build output only) - Makefile: all target is now vet->lint->test->build; add vet, proto-lint, devserver targets; CGO_ENABLED=0 for builds (modernc.org/sqlite is pure-Go, no C toolchain needed); CGO_ENABLED=1 retained for tests (race detector) - Dockerfile: builder -> golang:1.26-alpine, runtime -> alpine:3.21; drop libc6 dep; add /srv/mcias/certs and /srv/mcias/backups to image - deploy/systemd/mcias.service: add RestrictSUIDSGID=true - deploy/systemd/mcias-backup.service: new oneshot backup unit - deploy/systemd/mcias-backup.timer: daily 02:00 UTC, 5m jitter - deploy/scripts/install.sh: install backup units and enable timer; create certs/ and backups/ subdirs in /srv/mcias - buf.yaml: add proto linting config for proto-lint target - internal/db: add Snapshot and SnapshotDir methods (VACUUM INTO) - cmd/mciasdb: add snapshot subcommand; no master key required
33 lines
798 B
Desktop File
33 lines
798 B
Desktop File
[Unit]
|
|
Description=MCIAS Database Backup
|
|
Documentation=man:mciasdb(1)
|
|
After=mcias.service
|
|
# Backup runs against the live database using VACUUM INTO, which is safe
|
|
# while mciassrv is running (WAL mode allows concurrent readers).
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
User=mcias
|
|
Group=mcias
|
|
|
|
EnvironmentFile=/srv/mcias/env
|
|
|
|
ExecStart=/usr/local/bin/mciasdb -config /srv/mcias/mcias.toml snapshot
|
|
|
|
# Filesystem restrictions (read-write to /srv/mcias for the backup output).
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
PrivateTmp=true
|
|
ReadWritePaths=/srv/mcias
|
|
NoNewPrivileges=true
|
|
PrivateDevices=true
|
|
CapabilityBoundingSet=
|
|
RestrictSUIDSGID=true
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|