From 5d37721607b88d1cefa1b2514d0ebc94d6598051 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Fri, 9 Feb 2018 05:55:56 +0000 Subject: [PATCH 01/36] Initial commit --- c9.service | 13 +++++++++++++ caddy.service | 13 +++++++++++++ jarvis-bot.service | 13 +++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 c9.service create mode 100644 caddy.service create mode 100644 jarvis-bot.service diff --git a/c9.service b/c9.service new file mode 100644 index 0000000..644f046 --- /dev/null +++ b/c9.service @@ -0,0 +1,13 @@ +[Unit] +Description=Jarvis-CI-Bot service +After=network.target + +[Service] +Type=simple +User=root +WorkingDirectory=/etc/caddy/core +ExecStart=/usr/bin/node /etc/caddy/core/server.js -p 8080 -a : -w ~/ +Restart=on-abort + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/caddy.service b/caddy.service new file mode 100644 index 0000000..cce2136 --- /dev/null +++ b/caddy.service @@ -0,0 +1,13 @@ +[Unit] +Description=Caddy webserver service +After=network.target + +[Service] +Type=simple +User=root +WorkingDirectory=/etc/caddy +ExecStart=/usr/local/bin/caddy -conf /etc/caddy/Caddyfile +Restart=on-abort + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/jarvis-bot.service b/jarvis-bot.service new file mode 100644 index 0000000..5a5a6ee --- /dev/null +++ b/jarvis-bot.service @@ -0,0 +1,13 @@ +[Unit] +Description=Jarvis-CI-Bot service +After=network.target + +[Service] +Type=simple +User=root +WorkingDirectory=/root/jarvis-ci-bot +ExecStart=/root/jarvis-ci-bot/build.py +Restart=on-abort + +[Install] +WantedBy=multi-user.target \ No newline at end of file From 7da5de3c645f181423eac012ec9cd020fcc42aec Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Fri, 9 Feb 2018 06:03:05 +0000 Subject: [PATCH 02/36] Move all services into their own domains I've already seen the cons of running as root --- c9.service | 4 ++-- caddy.service | 2 +- jarvis-bot.service | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/c9.service b/c9.service index 644f046..40bb592 100644 --- a/c9.service +++ b/c9.service @@ -4,8 +4,8 @@ After=network.target [Service] Type=simple -User=root -WorkingDirectory=/etc/caddy/core +User=msfjarvis +WorkingDirectory=/home/msfjarvis ExecStart=/usr/bin/node /etc/caddy/core/server.js -p 8080 -a : -w ~/ Restart=on-abort diff --git a/caddy.service b/caddy.service index cce2136..d9b3530 100644 --- a/caddy.service +++ b/caddy.service @@ -4,7 +4,7 @@ After=network.target [Service] Type=simple -User=root +User=caddy WorkingDirectory=/etc/caddy ExecStart=/usr/local/bin/caddy -conf /etc/caddy/Caddyfile Restart=on-abort diff --git a/jarvis-bot.service b/jarvis-bot.service index 5a5a6ee..984ddee 100644 --- a/jarvis-bot.service +++ b/jarvis-bot.service @@ -4,9 +4,9 @@ After=network.target [Service] Type=simple -User=root -WorkingDirectory=/root/jarvis-ci-bot -ExecStart=/root/jarvis-ci-bot/build.py +User=bot +WorkingDirectory=/home/bot/jarvis-ci-bot +ExecStart=/home/bot/jarvis-ci-bot/build.py Restart=on-abort [Install] From 96f929bd8a69efde0927a26262d221767913a6f1 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Wed, 14 Feb 2018 23:07:28 +0530 Subject: [PATCH 03/36] Sync caddy unit with mholt/caddy master a bit Signed-off-by: Harsh Shandilya --- caddy.service | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/caddy.service b/caddy.service index d9b3530..d13e79e 100644 --- a/caddy.service +++ b/caddy.service @@ -3,11 +3,20 @@ Description=Caddy webserver service After=network.target [Service] +Restart=on-abort Type=simple User=caddy WorkingDirectory=/etc/caddy -ExecStart=/usr/local/bin/caddy -conf /etc/caddy/Caddyfile -Restart=on-abort + +ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile +ExecReload=/bin/kill -USR1 $MAINPID + +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s + +LimitNOFILE=1048576 +LimitNPROC=512 [Install] WantedBy=multi-user.target \ No newline at end of file From be6bc18625fbc225fd32d9598f5cf417de847435 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Wed, 14 Feb 2018 23:12:12 +0530 Subject: [PATCH 04/36] jarvis-bot: Sync some security settings with caddy upstream Signed-off-by: Harsh Shandilya --- jarvis-bot.service | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/jarvis-bot.service b/jarvis-bot.service index 984ddee..e1d1e3a 100644 --- a/jarvis-bot.service +++ b/jarvis-bot.service @@ -3,11 +3,26 @@ Description=Jarvis-CI-Bot service After=network.target [Service] +Restart=on-abort Type=simple User=bot WorkingDirectory=/home/bot/jarvis-ci-bot ExecStart=/home/bot/jarvis-ci-bot/build.py -Restart=on-abort +ExecReload=/bin/kill -USR1 $MAINPID + +; Use graceful shutdown with a reasonable timeout +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s + +; Use private /tmp and /var/tmp, which are discarded after caddy stops. +PrivateTmp=true +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) +PrivateDevices=false +; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. +ProtectHome=true +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full [Install] WantedBy=multi-user.target \ No newline at end of file From 3c4bef44093a012427d7c009587a9e2a4baf77e3 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Wed, 14 Feb 2018 23:12:12 +0530 Subject: [PATCH 05/36] c9: Sync some security settings with caddy upstream Signed-off-by: Harsh Shandilya --- c9.service | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/c9.service b/c9.service index 40bb592..3341a35 100644 --- a/c9.service +++ b/c9.service @@ -1,13 +1,28 @@ [Unit] -Description=Jarvis-CI-Bot service +Description=cloud9 local IDE After=network.target [Service] +Restart=on-abort Type=simple User=msfjarvis WorkingDirectory=/home/msfjarvis ExecStart=/usr/bin/node /etc/caddy/core/server.js -p 8080 -a : -w ~/ -Restart=on-abort +ExecReload=/bin/kill -USR1 $MAINPID + +; Use graceful shutdown with a reasonable timeout +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s + +; Use private /tmp and /var/tmp, which are discarded after caddy stops. +PrivateTmp=true +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) +PrivateDevices=false +; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. +ProtectHome=true +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full [Install] WantedBy=multi-user.target \ No newline at end of file From 7c17937d4bff1474343bb0dfe64f4eeb19983e42 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Wed, 14 Feb 2018 23:41:12 +0530 Subject: [PATCH 06/36] Allow home access to c9 and jarvis-bot c9 _is_ run inside /home/msfjarvis and jarvis-bot dumps temp data in it's home in /home/bot/jarvis-ci-bot Signed-off-by: Harsh Shandilya --- c9.service | 2 -- jarvis-bot.service | 2 -- 2 files changed, 4 deletions(-) diff --git a/c9.service b/c9.service index 3341a35..7e38582 100644 --- a/c9.service +++ b/c9.service @@ -19,8 +19,6 @@ TimeoutStopSec=5s PrivateTmp=true ; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) PrivateDevices=false -; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. -ProtectHome=true ; Make /usr, /boot, /etc and possibly some more folders read-only. ProtectSystem=full diff --git a/jarvis-bot.service b/jarvis-bot.service index e1d1e3a..e5a0dce 100644 --- a/jarvis-bot.service +++ b/jarvis-bot.service @@ -19,8 +19,6 @@ TimeoutStopSec=5s PrivateTmp=true ; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) PrivateDevices=false -; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. -ProtectHome=true ; Make /usr, /boot, /etc and possibly some more folders read-only. ProtectSystem=full From 8ab76bc9018cbfcf0d7dda300c80931669ab1603 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Wed, 14 Feb 2018 23:46:57 +0530 Subject: [PATCH 07/36] Add an update script Truth be told I got tired as shit of doing it again and again by hand lol Signed-off-by: Harsh Shandilya --- update.sh | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100755 update.sh diff --git a/update.sh b/update.sh new file mode 100755 index 0000000..67ffa10 --- /dev/null +++ b/update.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +CL_RST="\033[0m" +CL_YLW="\033[01;33m" + +function reportWarning { + echo -e "" + echo -e ${CL_YLW}"${1}"${CL_RST} + if [[ -z ${2} ]]; then + echo -e "" + fi +} + +# Grab all service names +services=$(ls *.service | cut -d '.' -f 1) + +# Place the systemd unit files where they belong +reportWarning "Copying systemd files to /etc/systemd/system" +sudo cp *.service /etc/systemd/system/ + +# Reload systemctl so that it processes our changes +reportWarning "Reloading systemctl daemon" +systemctl daemon-reload + +# Sleep for 5 seconds to let systemctl get it's shit together +sleep 5 + +# Now loop through each service and restart it +for service in ${services};do + reportWarning "Restarting ${service}" + service ${service} restart +done \ No newline at end of file From 309b479c5c86cc7218efba80f9651a38ee1743b6 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Sat, 14 Apr 2018 13:39:45 +0000 Subject: [PATCH 08/36] systemd-units: Add UNO telegram bot Signed-off-by: Harsh Shandilya --- uno-bot.service | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 uno-bot.service diff --git a/uno-bot.service b/uno-bot.service new file mode 100644 index 0000000..c8f9971 --- /dev/null +++ b/uno-bot.service @@ -0,0 +1,26 @@ +[Unit] +Description=Jarvis-CI-Bot service +After=network.target + +[Service] +Restart=on-abort +Type=simple +User=bot +WorkingDirectory=/home/bot/mau_mau_bot +ExecStart=/home/bot/mau_mau_bot/bot.py +ExecReload=/bin/kill -USR1 $MAINPID + +; Use graceful shutdown with a reasonable timeout +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s + +; Use private /tmp and /var/tmp, which are discarded after caddy stops. +PrivateTmp=true +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) +PrivateDevices=false +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full + +[Install] +WantedBy=multi-user.target From 594af13217080a4f221ae46a6e3017b6a74e6acf Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Sat, 14 Apr 2018 19:26:35 +0530 Subject: [PATCH 09/36] uno-bot: Correct service description Signed-off-by: Harsh Shandilya --- uno-bot.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uno-bot.service b/uno-bot.service index c8f9971..5a37220 100644 --- a/uno-bot.service +++ b/uno-bot.service @@ -1,5 +1,5 @@ [Unit] -Description=Jarvis-CI-Bot service +Description=UNO Telegram Bot service After=network.target [Service] From d0c01ccafb6099d5b78e7809dc7241b10d90b674 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Sat, 14 Apr 2018 20:30:01 +0530 Subject: [PATCH 10/36] Ensure all services are set for on-boot enable Signed-off-by: Harsh Shandilya --- update.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/update.sh b/update.sh index 67ffa10..4f2d5fb 100755 --- a/update.sh +++ b/update.sh @@ -29,4 +29,5 @@ sleep 5 for service in ${services};do reportWarning "Restarting ${service}" service ${service} restart + [[ -f /etc/systemd/system/${service}.service ]] || systemctl enable ${service} done \ No newline at end of file From 2067d4596976ddadb79b8a417cbbd051c8d9c844 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Tue, 22 Jan 2019 21:06:26 +0530 Subject: [PATCH 11/36] Add horbiswalls bot systemd unit Signed-off-by: Harsh Shandilya --- horbiswalls-bot.service | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 horbiswalls-bot.service diff --git a/horbiswalls-bot.service b/horbiswalls-bot.service new file mode 100644 index 0000000..e80c791 --- /dev/null +++ b/horbiswalls-bot.service @@ -0,0 +1,26 @@ +[Unit] +Description=horbiswalls Telegram Bot service +After=network.target + +[Service] +Restart=on-abort +Type=simple +User=bot +WorkingDirectory=/home/msfjarvis/walls-manager-master +ExecStart=//home/msfjarvis/walls-manager-master/venv/bin/python bot.py +ExecReload=/bin/kill -USR1 $MAINPID + +; Use graceful shutdown with a reasonable timeout +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s + +; Use private /tmp and /var/tmp, which are discarded after caddy stops. +PrivateTmp=true +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) +PrivateDevices=false +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full + +[Install] +WantedBy=multi-user.target From b8d54a5469ba409c548ce50e15689f1cc957c473 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Tue, 22 Jan 2019 21:06:35 +0530 Subject: [PATCH 12/36] Remove unused systemd unit Signed-off-by: Harsh Shandilya --- jarvis-bot.service | 26 -------------------------- 1 file changed, 26 deletions(-) delete mode 100644 jarvis-bot.service diff --git a/jarvis-bot.service b/jarvis-bot.service deleted file mode 100644 index e5a0dce..0000000 --- a/jarvis-bot.service +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=Jarvis-CI-Bot service -After=network.target - -[Service] -Restart=on-abort -Type=simple -User=bot -WorkingDirectory=/home/bot/jarvis-ci-bot -ExecStart=/home/bot/jarvis-ci-bot/build.py -ExecReload=/bin/kill -USR1 $MAINPID - -; Use graceful shutdown with a reasonable timeout -KillMode=mixed -KillSignal=SIGQUIT -TimeoutStopSec=5s - -; Use private /tmp and /var/tmp, which are discarded after caddy stops. -PrivateTmp=true -; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) -PrivateDevices=false -; Make /usr, /boot, /etc and possibly some more folders read-only. -ProtectSystem=full - -[Install] -WantedBy=multi-user.target \ No newline at end of file From 09cfd71230723b53f90ceb291d15d86c3466e4d6 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Fri, 8 Feb 2019 20:41:24 +0530 Subject: [PATCH 13/36] Add mirror-bot unit Signed-off-by: Harsh Shandilya --- mirror-bot.service | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 mirror-bot.service diff --git a/mirror-bot.service b/mirror-bot.service new file mode 100644 index 0000000..31f7f72 --- /dev/null +++ b/mirror-bot.service @@ -0,0 +1,27 @@ +[Unit] +Description=aria2 mirror Telegram Bot service +After=network.target + +[Service] +Restart=on-abort +Type=simple +User=msfjarvis +WorkingDirectory=/home/msfjarvis/aria-telegram-mirror-bot +ExecStartPre=/usr/bin/env bash aria.sh +ExecStart=/usr/bin/npm --max_old_space_size=128 start +ExecReload=/bin/kill -USR1 $MAINPID + +; Use graceful shutdown with a reasonable timeout +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s + +; Use private /tmp and /var/tmp, which are discarded after caddy stops. +PrivateTmp=true +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) +PrivateDevices=false +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full + +[Install] +WantedBy=multi-user.target From d4bcd98ea3e3d881284bb5a52a9a2b24fe6bfc12 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Thu, 14 Feb 2019 13:02:32 +0530 Subject: [PATCH 14/36] Rewrite update script to fix shellcheck warnings Signed-off-by: Harsh Shandilya --- update.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/update.sh b/update.sh index 4f2d5fb..fe70696 100755 --- a/update.sh +++ b/update.sh @@ -5,29 +5,29 @@ CL_YLW="\033[01;33m" function reportWarning { echo -e "" - echo -e ${CL_YLW}"${1}"${CL_RST} - if [[ -z ${2} ]]; then + echo -e "${CL_YLW}${1}${CL_RST}" + if [[ -z "${2}" ]]; then echo -e "" fi } # Grab all service names -services=$(ls *.service | cut -d '.' -f 1) +declare -a services +while IFS= read -r -d $'\0'; do + services+=("$REPLY") +done < <(find . -name '*.service' -print0 | sed 's/\.\///g') # Place the systemd unit files where they belong reportWarning "Copying systemd files to /etc/systemd/system" -sudo cp *.service /etc/systemd/system/ +for service in "${services[@]}"; do cp "${service}" /etc/systemd/system/; done # Reload systemctl so that it processes our changes reportWarning "Reloading systemctl daemon" -systemctl daemon-reload - -# Sleep for 5 seconds to let systemctl get it's shit together -sleep 5 +sudo systemctl daemon-reload # Now loop through each service and restart it -for service in ${services};do +for service in "${services[@]}"; do reportWarning "Restarting ${service}" - service ${service} restart - [[ -f /etc/systemd/system/${service}.service ]] || systemctl enable ${service} + service "${service}" restart + [ -f "/etc/systemd/system/${service}.service" ] || systemctl enable "${service}" done \ No newline at end of file From 84a394f348f754b110e43f10f38f5f241402f434 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Tue, 12 Mar 2019 00:00:37 +0530 Subject: [PATCH 15/36] Sync Signed-off-by: Harsh Shandilya --- horbiswalls-bot.service | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/horbiswalls-bot.service b/horbiswalls-bot.service index e80c791..dabf4b3 100644 --- a/horbiswalls-bot.service +++ b/horbiswalls-bot.service @@ -6,8 +6,8 @@ After=network.target Restart=on-abort Type=simple User=bot -WorkingDirectory=/home/msfjarvis/walls-manager-master -ExecStart=//home/msfjarvis/walls-manager-master/venv/bin/python bot.py +WorkingDirectory=/home/msfjarvis/walls-manager +ExecStart=/home/msfjarvis/walls-manager/venv/bin/python bot.py ExecReload=/bin/kill -USR1 $MAINPID ; Use graceful shutdown with a reasonable timeout From 458fe3110fd7134761c49dbc095a306d78d305e1 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Sat, 16 Mar 2019 17:42:53 +0530 Subject: [PATCH 16/36] Fix user Signed-off-by: Harsh Shandilya --- horbiswalls-bot.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/horbiswalls-bot.service b/horbiswalls-bot.service index dabf4b3..fd1e80f 100644 --- a/horbiswalls-bot.service +++ b/horbiswalls-bot.service @@ -5,7 +5,7 @@ After=network.target [Service] Restart=on-abort Type=simple -User=bot +User=msfjarvis WorkingDirectory=/home/msfjarvis/walls-manager ExecStart=/home/msfjarvis/walls-manager/venv/bin/python bot.py ExecReload=/bin/kill -USR1 $MAINPID From 4d36c57d38526e864ed5dcbb0353c61de4da2453 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Sun, 5 May 2019 02:06:12 +0530 Subject: [PATCH 17/36] uno-bot: Use venv Signed-off-by: Harsh Shandilya --- uno-bot.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uno-bot.service b/uno-bot.service index 5a37220..61389e5 100644 --- a/uno-bot.service +++ b/uno-bot.service @@ -7,7 +7,7 @@ Restart=on-abort Type=simple User=bot WorkingDirectory=/home/bot/mau_mau_bot -ExecStart=/home/bot/mau_mau_bot/bot.py +ExecStart=/home/bot/mau_mau_bot/venv/bin/python bot.py ExecReload=/bin/kill -USR1 $MAINPID ; Use graceful shutdown with a reasonable timeout From 0c0361b8a8fc73f0d8fd713b4c69818a0a3626ab Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Sun, 5 May 2019 02:06:37 +0530 Subject: [PATCH 18/36] Remove unused units Signed-off-by: Harsh Shandilya --- c9.service | 26 -------------------------- caddy.service | 22 ---------------------- 2 files changed, 48 deletions(-) delete mode 100644 c9.service delete mode 100644 caddy.service diff --git a/c9.service b/c9.service deleted file mode 100644 index 7e38582..0000000 --- a/c9.service +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=cloud9 local IDE -After=network.target - -[Service] -Restart=on-abort -Type=simple -User=msfjarvis -WorkingDirectory=/home/msfjarvis -ExecStart=/usr/bin/node /etc/caddy/core/server.js -p 8080 -a : -w ~/ -ExecReload=/bin/kill -USR1 $MAINPID - -; Use graceful shutdown with a reasonable timeout -KillMode=mixed -KillSignal=SIGQUIT -TimeoutStopSec=5s - -; Use private /tmp and /var/tmp, which are discarded after caddy stops. -PrivateTmp=true -; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) -PrivateDevices=false -; Make /usr, /boot, /etc and possibly some more folders read-only. -ProtectSystem=full - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/caddy.service b/caddy.service deleted file mode 100644 index d13e79e..0000000 --- a/caddy.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=Caddy webserver service -After=network.target - -[Service] -Restart=on-abort -Type=simple -User=caddy -WorkingDirectory=/etc/caddy - -ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -ExecReload=/bin/kill -USR1 $MAINPID - -KillMode=mixed -KillSignal=SIGQUIT -TimeoutStopSec=5s - -LimitNOFILE=1048576 -LimitNPROC=512 - -[Install] -WantedBy=multi-user.target \ No newline at end of file From 19a3eccdec20499e58bc3ea92c1172c5d5b1d882 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Sun, 5 May 2019 02:40:28 +0530 Subject: [PATCH 19/36] Fix update script Signed-off-by: Harsh Shandilya --- update.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/update.sh b/update.sh index fe70696..c89ff50 100755 --- a/update.sh +++ b/update.sh @@ -19,7 +19,7 @@ done < <(find . -name '*.service' -print0 | sed 's/\.\///g') # Place the systemd unit files where they belong reportWarning "Copying systemd files to /etc/systemd/system" -for service in "${services[@]}"; do cp "${service}" /etc/systemd/system/; done +for service in "${services[@]}"; do sudo cp "${service}" /etc/systemd/system/; done # Reload systemctl so that it processes our changes reportWarning "Reloading systemctl daemon" @@ -27,7 +27,8 @@ sudo systemctl daemon-reload # Now loop through each service and restart it for service in "${services[@]}"; do + service="${service/.service/}" reportWarning "Restarting ${service}" - service "${service}" restart - [ -f "/etc/systemd/system/${service}.service" ] || systemctl enable "${service}" -done \ No newline at end of file + sudo service "${service}" restart + [ -f "/etc/systemd/system/multi-user.target.wants/${service}.service" ] && sudo systemctl enable "${service}" +done From e17cc4aad77f8b95b04e1b27f9fed2d3ef67f18a Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Thu, 6 Jun 2019 18:46:37 +0530 Subject: [PATCH 20/36] Add default caddy service Signed-off-by: Harsh Shandilya --- caddy.service | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 caddy.service diff --git a/caddy.service b/caddy.service new file mode 100644 index 0000000..639f407 --- /dev/null +++ b/caddy.service @@ -0,0 +1,51 @@ +[Unit] +Description=Caddy HTTP/2 web server +Documentation=https://caddyserver.com/docs +After=network-online.target +Wants=network-online.target systemd-networkd-wait-online.service + +[Service] +Restart=on-abnormal + +; User and group the process will run as. +User=caddy +Group=caddy + +; Letsencrypt-issued certificates will be written to this directory. +Environment=CADDYPATH=/etc/ssl/caddy + +; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. +ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp +ExecReload=/bin/kill -USR1 $MAINPID + +; Use graceful shutdown with a reasonable timeout +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s + +; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. +LimitNOFILE=1048576 +; Unmodified caddy is not expected to use more than that. +LimitNPROC=512 + +; Use private /tmp and /var/tmp, which are discarded after caddy stops. +PrivateTmp=true +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) +PrivateDevices=false +; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. +ProtectHome=true +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full +; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there. +; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! +ReadWriteDirectories=/etc/ssl/caddy + +; The following additional security directives only work with systemd v229 or later. +; They further restrict privileges that can be gained by caddy. Uncomment if you like. +; Note that you may have to add capabilities required by any plugins in use. +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +NoNewPrivileges=true + +[Install] +WantedBy=multi-user.target From 88c78f686d20d45c6ac8ceb37c29fe3499b696b5 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Thu, 6 Jun 2019 18:47:40 +0530 Subject: [PATCH 21/36] caddy: Disable private devices Signed-off-by: Harsh Shandilya --- caddy.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/caddy.service b/caddy.service index 639f407..b81f8bb 100644 --- a/caddy.service +++ b/caddy.service @@ -31,7 +31,7 @@ LimitNPROC=512 ; Use private /tmp and /var/tmp, which are discarded after caddy stops. PrivateTmp=true ; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) -PrivateDevices=false +PrivateDevices=true ; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. ProtectHome=true ; Make /usr, /boot, /etc and possibly some more folders read-only. From 8185fd7023cb318f52a5fb3b9abd632b98960aa1 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Thu, 6 Jun 2019 18:51:03 +0530 Subject: [PATCH 22/36] Update and streamline update script Signed-off-by: Harsh Shandilya --- update.sh | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/update.sh b/update.sh index c89ff50..3308c05 100755 --- a/update.sh +++ b/update.sh @@ -3,32 +3,27 @@ CL_RST="\033[0m" CL_YLW="\033[01;33m" -function reportWarning { - echo -e "" +function prettyPrint { echo -e "${CL_YLW}${1}${CL_RST}" - if [[ -z "${2}" ]]; then - echo -e "" - fi } # Grab all service names -declare -a services -while IFS= read -r -d $'\0'; do - services+=("$REPLY") -done < <(find . -name '*.service' -print0 | sed 's/\.\///g') +declare -a services=('caddy' 'horbiswalls-bot' 'mirror-bot' 'uno-bot') # Place the systemd unit files where they belong -reportWarning "Copying systemd files to /etc/systemd/system" -for service in "${services[@]}"; do sudo cp "${service}" /etc/systemd/system/; done +prettyPrint "Copying systemd files to /etc/systemd/system" +for service in "${services[@]}"; do sudo cp -v "${service}.service" /etc/systemd/system/; done # Reload systemctl so that it processes our changes -reportWarning "Reloading systemctl daemon" +prettyPrint "Reloading systemctl daemon" sudo systemctl daemon-reload # Now loop through each service and restart it for service in "${services[@]}"; do - service="${service/.service/}" - reportWarning "Restarting ${service}" + prettyPrint "Restarting ${service}" sudo service "${service}" restart - [ -f "/etc/systemd/system/multi-user.target.wants/${service}.service" ] && sudo systemctl enable "${service}" + if [ ! -f "/etc/systemd/system/multi-user.target.wants/${service}.service" ]; then + prettyPrint "Enabling ${service}" + sudo systemctl enable "${service}" + fi done From 384c2a74190b21b73a19ce9b7020f77f8d90401d Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Thu, 27 Jun 2019 11:33:14 +0000 Subject: [PATCH 23/36] mirror-bot: Update for latest master Signed-off-by: Harsh Shandilya --- mirror-bot.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mirror-bot.service b/mirror-bot.service index 31f7f72..53adeb6 100644 --- a/mirror-bot.service +++ b/mirror-bot.service @@ -8,7 +8,7 @@ Type=simple User=msfjarvis WorkingDirectory=/home/msfjarvis/aria-telegram-mirror-bot ExecStartPre=/usr/bin/env bash aria.sh -ExecStart=/usr/bin/npm --max_old_space_size=128 start +ExecStart=/usr/bin/npm start ExecReload=/bin/kill -USR1 $MAINPID ; Use graceful shutdown with a reasonable timeout From 74a9ac1246f1c5a1633393ff917212cf6e6c6870 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Sat, 29 Jun 2019 15:34:35 +0530 Subject: [PATCH 24/36] treewide: Grammar nits Signed-off-by: Harsh Shandilya --- horbiswalls-bot.service | 4 ++-- mirror-bot.service | 6 +++--- uno-bot.service | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/horbiswalls-bot.service b/horbiswalls-bot.service index fd1e80f..bc910b2 100644 --- a/horbiswalls-bot.service +++ b/horbiswalls-bot.service @@ -1,5 +1,5 @@ [Unit] -Description=horbiswalls Telegram Bot service +Description=horbiswalls Telegram bot service After=network.target [Service] @@ -15,7 +15,7 @@ KillMode=mixed KillSignal=SIGQUIT TimeoutStopSec=5s -; Use private /tmp and /var/tmp, which are discarded after caddy stops. +; Use private /tmp and /var/tmp, which are discarded after the process stops. PrivateTmp=true ; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) PrivateDevices=false diff --git a/mirror-bot.service b/mirror-bot.service index 53adeb6..deab98d 100644 --- a/mirror-bot.service +++ b/mirror-bot.service @@ -1,5 +1,5 @@ [Unit] -Description=aria2 mirror Telegram Bot service +Description=aria2 mirror Telegram bot service After=network.target [Service] @@ -16,10 +16,10 @@ KillMode=mixed KillSignal=SIGQUIT TimeoutStopSec=5s -; Use private /tmp and /var/tmp, which are discarded after caddy stops. +; Use private /tmp and /var/tmp, which are discarded after the process stops. PrivateTmp=true ; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) -PrivateDevices=false +PrivateDevices=true ; Make /usr, /boot, /etc and possibly some more folders read-only. ProtectSystem=full diff --git a/uno-bot.service b/uno-bot.service index 61389e5..d255822 100644 --- a/uno-bot.service +++ b/uno-bot.service @@ -1,5 +1,5 @@ [Unit] -Description=UNO Telegram Bot service +Description=UNO Telegram bot service After=network.target [Service] @@ -15,7 +15,7 @@ KillMode=mixed KillSignal=SIGQUIT TimeoutStopSec=5s -; Use private /tmp and /var/tmp, which are discarded after caddy stops. +; Use private /tmp and /var/tmp, which are discarded after the process stops. PrivateTmp=true ; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) PrivateDevices=false From d4848fe485c8a3df9541cd1a6ee47c5f470b315f Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Sun, 14 Jul 2019 11:45:35 +0530 Subject: [PATCH 25/36] Move walls bot to unprivileged user Just sound security IMO Signed-off-by: Harsh Shandilya --- horbiswalls-bot.service | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/horbiswalls-bot.service b/horbiswalls-bot.service index bc910b2..2e0c847 100644 --- a/horbiswalls-bot.service +++ b/horbiswalls-bot.service @@ -5,9 +5,9 @@ After=network.target [Service] Restart=on-abort Type=simple -User=msfjarvis -WorkingDirectory=/home/msfjarvis/walls-manager -ExecStart=/home/msfjarvis/walls-manager/venv/bin/python bot.py +User=bot +WorkingDirectory=/home/bot/walls-manager +ExecStart=/home/bot/walls-manager/venv/bin/python bot.py ExecReload=/bin/kill -USR1 $MAINPID ; Use graceful shutdown with a reasonable timeout From 3a6e204a0027e214c0c071acdc1743fcf1713edc Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Thu, 18 Jul 2019 13:00:22 +0530 Subject: [PATCH 26/36] mirror-bot: Move to unprivileged user Signed-off-by: Harsh Shandilya --- mirror-bot.service | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mirror-bot.service b/mirror-bot.service index deab98d..b5f1bec 100644 --- a/mirror-bot.service +++ b/mirror-bot.service @@ -5,8 +5,8 @@ After=network.target [Service] Restart=on-abort Type=simple -User=msfjarvis -WorkingDirectory=/home/msfjarvis/aria-telegram-mirror-bot +User=bot +WorkingDirectory=/home/bot/aria-telegram-mirror-bot ExecStartPre=/usr/bin/env bash aria.sh ExecStart=/usr/bin/npm start ExecReload=/bin/kill -USR1 $MAINPID From e8acfeae93b97db8df84223f96943a35f1492c9b Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Thu, 18 Jul 2019 08:21:38 +0000 Subject: [PATCH 27/36] Allow updating singular units Signed-off-by: Harsh Shandilya --- update.sh | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/update.sh b/update.sh index 3308c05..f1aaceb 100755 --- a/update.sh +++ b/update.sh @@ -10,16 +10,14 @@ function prettyPrint { # Grab all service names declare -a services=('caddy' 'horbiswalls-bot' 'mirror-bot' 'uno-bot') -# Place the systemd unit files where they belong -prettyPrint "Copying systemd files to /etc/systemd/system" -for service in "${services[@]}"; do sudo cp -v "${service}.service" /etc/systemd/system/; done - -# Reload systemctl so that it processes our changes -prettyPrint "Reloading systemctl daemon" -sudo systemctl daemon-reload - -# Now loop through each service and restart it +# Now loop through each service and install it for service in "${services[@]}"; do + if [ "${1}" ] && [ "${service}" != "${1}" ]; then + continue + fi + prettyPrint "Installing ${service}" + sudo cp -v "${service}.service" /etc/systemd/system/ + sudo systemctl daemon-reload prettyPrint "Restarting ${service}" sudo service "${service}" restart if [ ! -f "/etc/systemd/system/multi-user.target.wants/${service}.service" ]; then From 7ed50631f7704f4327bda5531e42e32327ed0702 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Tue, 30 Jul 2019 21:34:28 +0530 Subject: [PATCH 28/36] Add gitea service Signed-off-by: Harsh Shandilya --- gitea.service | 22 ++++++++++++++++++++++ update.sh | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 gitea.service diff --git a/gitea.service b/gitea.service new file mode 100644 index 0000000..9f34a29 --- /dev/null +++ b/gitea.service @@ -0,0 +1,22 @@ +[Unit] +Description=Gitea (Git with a cup of tea) +After=syslog.target +After=network.target +Requires=postgresql.service + +[Service] +LimitMEMLOCK=infinity +LimitNOFILE=65535 +RestartSec=2s +Type=simple +User=git +Group=git +WorkingDirectory=/var/lib/gitea/ +ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini +Restart=always +Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea +#CapabilityBoundingSet=CAP_NET_BIND_SERVICE +#AmbientCapabilities=CAP_NET_BIND_SERVICE + +[Install] +WantedBy=multi-user.target diff --git a/update.sh b/update.sh index f1aaceb..7d4fb5c 100755 --- a/update.sh +++ b/update.sh @@ -8,7 +8,7 @@ function prettyPrint { } # Grab all service names -declare -a services=('caddy' 'horbiswalls-bot' 'mirror-bot' 'uno-bot') +declare -a services=('caddy' 'gitea' 'horbiswalls-bot' 'mirror-bot' 'uno-bot') # Now loop through each service and install it for service in "${services[@]}"; do From ac002ae0cf2f528e98b9cba7504ceeccaf424863 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Wed, 31 Jul 2019 17:50:22 +0530 Subject: [PATCH 29/36] Add service and timer for androidx-release-watcher Signed-off-by: Harsh Shandilya --- androidx-release-watcher.service | 10 ++++++++++ release-watcher-recent.timer | 12 ++++++++++++ update.sh | 20 ++++++++++++++++++-- 3 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 androidx-release-watcher.service create mode 100644 release-watcher-recent.timer diff --git a/androidx-release-watcher.service b/androidx-release-watcher.service new file mode 100644 index 0000000..50110b1 --- /dev/null +++ b/androidx-release-watcher.service @@ -0,0 +1,10 @@ +[Unit] +Description=Telegram notifier service for androidx-release-watcher +Wants=release-watcher-recent.timer + +[Service] +WorkingDirectory=/home/bot/androidx-release-watcher +ExecStart=/home/bot/androidx-release-watcher/venv/bin/python telegram_notifier.py + +[Install] +WantedBy=multi-user.target diff --git a/release-watcher-recent.timer b/release-watcher-recent.timer new file mode 100644 index 0000000..b39101f --- /dev/null +++ b/release-watcher-recent.timer @@ -0,0 +1,12 @@ +[Unit] +Description=Run shopify-recent every 24 hours with a 30 minute leeway +Requires=androidx-release-watcher.service + +[Timer] +Unit=androidx-release-watcher.service +OnUnitInactiveSec=24h +RandomizedDelaySec=15m +AccuracySec=1s + +[Install] +WantedBy=timers.target diff --git a/update.sh b/update.sh index 7d4fb5c..8c678d2 100755 --- a/update.sh +++ b/update.sh @@ -8,7 +8,8 @@ function prettyPrint { } # Grab all service names -declare -a services=('caddy' 'gitea' 'horbiswalls-bot' 'mirror-bot' 'uno-bot') +declare -a services=('androidx-release-watcher' 'caddy' 'gitea' 'horbiswalls-bot' 'mirror-bot' 'uno-bot') +declare -a timers=('release-watcher-recent') # Now loop through each service and install it for service in "${services[@]}"; do @@ -19,9 +20,24 @@ for service in "${services[@]}"; do sudo cp -v "${service}.service" /etc/systemd/system/ sudo systemctl daemon-reload prettyPrint "Restarting ${service}" - sudo service "${service}" restart + sudo systemctl restart "${service}" if [ ! -f "/etc/systemd/system/multi-user.target.wants/${service}.service" ]; then prettyPrint "Enabling ${service}" sudo systemctl enable "${service}" fi done + +for timer in "${timers[@]}"; do + if [ "${1}" ] && [ "${timer}" != "${1}" ]; then + continue + fi + prettyPrint "Installing ${timer}" + sudo cp -v "${timer}.timer" /etc/systemd/system/ + sudo systemctl daemon-reload + prettyPrint "Restarting ${timer}" + sudo systemctl restart "${timer}".timer + if [ ! -f "/etc/systemd/system/multi-user.target.wants/${timer}.timer" ]; then + prettyPrint "Enabling ${timer}" + sudo systemctl enable "${timer}".timer + fi +done From 07ac48d367589c26fa0646479c996fc9fff3cb70 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Wed, 31 Jul 2019 19:34:39 +0530 Subject: [PATCH 30/36] Setup security rules for release watcher service Signed-off-by: Harsh Shandilya --- androidx-release-watcher.service | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/androidx-release-watcher.service b/androidx-release-watcher.service index 50110b1..69aebb6 100644 --- a/androidx-release-watcher.service +++ b/androidx-release-watcher.service @@ -6,5 +6,17 @@ Wants=release-watcher-recent.timer WorkingDirectory=/home/bot/androidx-release-watcher ExecStart=/home/bot/androidx-release-watcher/venv/bin/python telegram_notifier.py +; Use graceful shutdown with a reasonable timeout +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s + +; Use private /tmp and /var/tmp, which are discarded after the process stops. +PrivateTmp=true +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) +PrivateDevices=false +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full + [Install] WantedBy=multi-user.target From 2d145d1f6c7519848841a0c6f28d09c9ee0c73ec Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Wed, 31 Jul 2019 20:27:58 +0530 Subject: [PATCH 31/36] Add walls-bot service Signed-off-by: Harsh Shandilya --- update.sh | 2 +- walls-bot.service | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 walls-bot.service diff --git a/update.sh b/update.sh index 8c678d2..d3198d4 100755 --- a/update.sh +++ b/update.sh @@ -8,7 +8,7 @@ function prettyPrint { } # Grab all service names -declare -a services=('androidx-release-watcher' 'caddy' 'gitea' 'horbiswalls-bot' 'mirror-bot' 'uno-bot') +declare -a services=('androidx-release-watcher' 'caddy' 'gitea' 'horbiswalls-bot' 'mirror-bot' 'uno-bot', 'walls-bot') declare -a timers=('release-watcher-recent') # Now loop through each service and install it diff --git a/walls-bot.service b/walls-bot.service new file mode 100644 index 0000000..3427bea --- /dev/null +++ b/walls-bot.service @@ -0,0 +1,26 @@ +[Unit] +Description=horbiswalls Telegram bot service +After=network.target + +[Service] +Restart=on-abort +Type=simple +User=bot +WorkingDirectory=/home/bot/walls-bot +ExecStart=/home/bot/walls-bot/gradlew run +ExecReload=/bin/kill -USR1 $MAINPID + +; Use graceful shutdown with a reasonable timeout +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s + +; Use private /tmp and /var/tmp, which are discarded after the process stops. +PrivateTmp=true +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) +PrivateDevices=false +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full + +[Install] +WantedBy=multi-user.target From c93e63c673d001ebebd5d4913c5d44bcb99a7507 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Sat, 3 Aug 2019 17:29:45 +0530 Subject: [PATCH 32/36] Remove unused service Signed-off-by: Harsh Shandilya --- horbiswalls-bot.service | 26 -------------------------- 1 file changed, 26 deletions(-) delete mode 100644 horbiswalls-bot.service diff --git a/horbiswalls-bot.service b/horbiswalls-bot.service deleted file mode 100644 index 2e0c847..0000000 --- a/horbiswalls-bot.service +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=horbiswalls Telegram bot service -After=network.target - -[Service] -Restart=on-abort -Type=simple -User=bot -WorkingDirectory=/home/bot/walls-manager -ExecStart=/home/bot/walls-manager/venv/bin/python bot.py -ExecReload=/bin/kill -USR1 $MAINPID - -; Use graceful shutdown with a reasonable timeout -KillMode=mixed -KillSignal=SIGQUIT -TimeoutStopSec=5s - -; Use private /tmp and /var/tmp, which are discarded after the process stops. -PrivateTmp=true -; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) -PrivateDevices=false -; Make /usr, /boot, /etc and possibly some more folders read-only. -ProtectSystem=full - -[Install] -WantedBy=multi-user.target From b36f785eaee457f109ad14b0a152744b288470df Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Sat, 3 Aug 2019 17:31:39 +0530 Subject: [PATCH 33/36] Add private mirror bot and phone walls bot service Signed-off-by: Harsh Shandilya --- mirror-bot-2.service | 27 +++++++++++++++++++++++++++ update.sh | 2 +- walls-bot-2.service | 26 ++++++++++++++++++++++++++ 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 mirror-bot-2.service create mode 100644 walls-bot-2.service diff --git a/mirror-bot-2.service b/mirror-bot-2.service new file mode 100644 index 0000000..9741da3 --- /dev/null +++ b/mirror-bot-2.service @@ -0,0 +1,27 @@ +[Unit] +Description=aria2 mirror Telegram bot service +After=network.target + +[Service] +Restart=on-abort +Type=simple +User=bot +WorkingDirectory=/home/bot/aria-telegram-mirror-bot-2 +ExecStartPre=/usr/bin/env bash aria.sh +ExecStart=/usr/bin/npm start +ExecReload=/bin/kill -USR1 $MAINPID + +; Use graceful shutdown with a reasonable timeout +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s + +; Use private /tmp and /var/tmp, which are discarded after the process stops. +PrivateTmp=true +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) +PrivateDevices=true +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full + +[Install] +WantedBy=multi-user.target diff --git a/update.sh b/update.sh index d3198d4..ff2226e 100755 --- a/update.sh +++ b/update.sh @@ -8,7 +8,7 @@ function prettyPrint { } # Grab all service names -declare -a services=('androidx-release-watcher' 'caddy' 'gitea' 'horbiswalls-bot' 'mirror-bot' 'uno-bot', 'walls-bot') +declare -a services=('androidx-release-watcher' 'caddy' 'gitea' 'horbiswalls-bot' 'mirror-bot' 'mirror-bot-2' 'uno-bot' 'walls-bot' 'walls-bot-2') declare -a timers=('release-watcher-recent') # Now loop through each service and install it diff --git a/walls-bot-2.service b/walls-bot-2.service new file mode 100644 index 0000000..fe85c49 --- /dev/null +++ b/walls-bot-2.service @@ -0,0 +1,26 @@ +[Unit] +Description=horbiswalls Telegram bot service +After=network.target + +[Service] +Restart=on-abort +Type=simple +User=bot +WorkingDirectory=/home/bot/walls-bot-2 +ExecStart=/home/bot/walls-bot/gradlew run +ExecReload=/bin/kill -USR1 $MAINPID + +; Use graceful shutdown with a reasonable timeout +KillMode=mixed +KillSignal=SIGQUIT +TimeoutStopSec=5s + +; Use private /tmp and /var/tmp, which are discarded after the process stops. +PrivateTmp=true +; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) +PrivateDevices=false +; Make /usr, /boot, /etc and possibly some more folders read-only. +ProtectSystem=full + +[Install] +WantedBy=multi-user.target From 63a6d86783f13b7ff975ca6ae7f37570679db6a4 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Fri, 9 Aug 2019 17:30:48 +0530 Subject: [PATCH 34/36] caddy: Use envfile for credentials Signed-off-by: Harsh Shandilya --- caddy.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/caddy.service b/caddy.service index b81f8bb..9e09f91 100644 --- a/caddy.service +++ b/caddy.service @@ -15,7 +15,7 @@ Group=caddy Environment=CADDYPATH=/etc/ssl/caddy ; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. -ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp +ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp -envfile /etc/caddy/env ExecReload=/bin/kill -USR1 $MAINPID ; Use graceful shutdown with a reasonable timeout From 0ea4788a1ef7b87bab1771e0a513c485de632072 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Sat, 10 Aug 2019 14:25:15 +0530 Subject: [PATCH 35/36] update: Allow passing full filenames Signed-off-by: Harsh Shandilya --- update.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/update.sh b/update.sh index ff2226e..5f04901 100755 --- a/update.sh +++ b/update.sh @@ -13,7 +13,7 @@ declare -a timers=('release-watcher-recent') # Now loop through each service and install it for service in "${services[@]}"; do - if [ "${1}" ] && [ "${service}" != "${1}" ]; then + if [ "${1}" ] && [[ "${service}" != "${1}" && "${service}.service" != "${1}" ]]; then continue fi prettyPrint "Installing ${service}" @@ -28,7 +28,7 @@ for service in "${services[@]}"; do done for timer in "${timers[@]}"; do - if [ "${1}" ] && [ "${timer}" != "${1}" ]; then + if [ "${1}" ] && [[ "${timer}" != "${1}" && "${timer}.timer" != "${1}" ]]; then continue fi prettyPrint "Installing ${timer}" From 99f807dd3ddab8ab13f8213aa32ae5f525146fae Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Wed, 14 Aug 2019 22:29:29 +0530 Subject: [PATCH 36/36] Remove unused units Signed-off-by: Harsh Shandilya --- androidx-release-watcher.service | 22 ---------------------- release-watcher-recent.timer | 12 ------------ update.sh | 18 +----------------- 3 files changed, 1 insertion(+), 51 deletions(-) delete mode 100644 androidx-release-watcher.service delete mode 100644 release-watcher-recent.timer diff --git a/androidx-release-watcher.service b/androidx-release-watcher.service deleted file mode 100644 index 69aebb6..0000000 --- a/androidx-release-watcher.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=Telegram notifier service for androidx-release-watcher -Wants=release-watcher-recent.timer - -[Service] -WorkingDirectory=/home/bot/androidx-release-watcher -ExecStart=/home/bot/androidx-release-watcher/venv/bin/python telegram_notifier.py - -; Use graceful shutdown with a reasonable timeout -KillMode=mixed -KillSignal=SIGQUIT -TimeoutStopSec=5s - -; Use private /tmp and /var/tmp, which are discarded after the process stops. -PrivateTmp=true -; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) -PrivateDevices=false -; Make /usr, /boot, /etc and possibly some more folders read-only. -ProtectSystem=full - -[Install] -WantedBy=multi-user.target diff --git a/release-watcher-recent.timer b/release-watcher-recent.timer deleted file mode 100644 index b39101f..0000000 --- a/release-watcher-recent.timer +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Run shopify-recent every 24 hours with a 30 minute leeway -Requires=androidx-release-watcher.service - -[Timer] -Unit=androidx-release-watcher.service -OnUnitInactiveSec=24h -RandomizedDelaySec=15m -AccuracySec=1s - -[Install] -WantedBy=timers.target diff --git a/update.sh b/update.sh index 5f04901..1f50fbe 100755 --- a/update.sh +++ b/update.sh @@ -8,8 +8,7 @@ function prettyPrint { } # Grab all service names -declare -a services=('androidx-release-watcher' 'caddy' 'gitea' 'horbiswalls-bot' 'mirror-bot' 'mirror-bot-2' 'uno-bot' 'walls-bot' 'walls-bot-2') -declare -a timers=('release-watcher-recent') +declare -a services=('caddy' 'gitea' 'horbiswalls-bot' 'mirror-bot' 'mirror-bot-2' 'uno-bot' 'walls-bot' 'walls-bot-2') # Now loop through each service and install it for service in "${services[@]}"; do @@ -26,18 +25,3 @@ for service in "${services[@]}"; do sudo systemctl enable "${service}" fi done - -for timer in "${timers[@]}"; do - if [ "${1}" ] && [[ "${timer}" != "${1}" && "${timer}.timer" != "${1}" ]]; then - continue - fi - prettyPrint "Installing ${timer}" - sudo cp -v "${timer}.timer" /etc/systemd/system/ - sudo systemctl daemon-reload - prettyPrint "Restarting ${timer}" - sudo systemctl restart "${timer}".timer - if [ ! -f "/etc/systemd/system/multi-user.target.wants/${timer}.timer" ]; then - prettyPrint "Enabling ${timer}" - sudo systemctl enable "${timer}".timer - fi -done