# Witryna - Git-based static site deployment orchestrator # # NOTE: This file is for MANUAL installations only. # The Debian package ships its own unit in debian/witryna.service. # # Installation: # 1. Create system user: # sudo adduser --system --group --no-create-home --home /var/lib/witryna witryna # 2. Copy binary: sudo cp target/release/witryna /usr/local/bin/ # 3. Create config dir: sudo mkdir -p /etc/witryna # 4. Copy config: sudo cp witryna.toml /etc/witryna/ # 5. Create dirs: sudo mkdir -p /var/lib/witryna/{clones,builds,cache} /var/log/witryna # 6. Set ownership: sudo chown -R witryna:witryna /var/lib/witryna /var/log/witryna # 7. Install service: sudo cp scripts/witryna.service /etc/systemd/system/ # 8. Reload systemd: sudo systemctl daemon-reload # 9. Enable service: sudo systemctl enable witryna # 10. Start service: sudo systemctl start witryna # # Podman rootless prerequisites (if using container_runtime = "podman"): # - Allocate sub-UIDs/GIDs for the witryna user: # sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 witryna # - Enable lingering so the user session persists: # sudo loginctl enable-linger witryna # - Allow user namespaces via a systemd drop-in: # sudo mkdir -p /etc/systemd/system/witryna.service.d # printf '[Service]\nRestrictNamespaces=no\n' | \ # sudo tee /etc/systemd/system/witryna.service.d/namespaces.conf # - Set XDG_RUNTIME_DIR via a systemd drop-in: # printf '[Service]\nEnvironment="XDG_RUNTIME_DIR=/run/user/%%U"\n' | \ # sudo tee /etc/systemd/system/witryna.service.d/xdg-runtime.conf # - Reload systemd: sudo systemctl daemon-reload # # Usage: # sudo systemctl status witryna # Check status # sudo systemctl restart witryna # Restart service # sudo kill -HUP $(pidof witryna) # Hot-reload config # sudo journalctl -u witryna -f # View logs [Unit] Description=Witryna - Git-based static site deployment orchestrator Documentation=https://git.craftknight.com/dawid/witryna After=network-online.target Wants=network-online.target [Service] Type=simple User=witryna Group=witryna # Start the deployment server ExecStart=/usr/local/bin/witryna serve --config /etc/witryna/witryna.toml ExecReload=/bin/kill -HUP $MAINPID # Environment Environment="RUST_LOG=info" # Restart policy Restart=on-failure RestartSec=5 StartLimitBurst=3 StartLimitIntervalSec=60 # Security hardening NoNewPrivileges=yes PrivateTmp=yes ProtectSystem=strict ProtectKernelTunables=yes ProtectKernelModules=yes ProtectControlGroups=yes RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes LockPersonality=yes MemoryDenyWriteExecute=yes # Note: ProtectHome=yes is NOT set because it hides /run/user/, # which is required for rootless Podman. The witryna user's home is # /var/lib/witryna (covered by ReadWritePaths), not /home. # Allow read/write to witryna directories ReadWritePaths=/var/lib/witryna ReadWritePaths=/var/log/witryna # Allow access to container runtime directories # For Podman (rootless): needs /run/user/ for XDG_RUNTIME_DIR ReadWritePaths=/run/user # For Docker: # SupplementaryGroups=docker # ReadWritePaths=/var/run/docker.sock # Capabilities (minimal for container runtime access) CapabilityBoundingSet= AmbientCapabilities= # Resource limits LimitNOFILE=65536 LimitNPROC=4096 [Install] WantedBy=multi-user.target