0ceab4c814
- docs/architecture.md: native rewrite plan (5 services + control plane,
Active-Active cluster like nmg, Floating-IP for HTTP ingress)
- cmd/edgeguard-{api,scheduler,ctl}: minimal Gin + CLI stubs
- packaging/debian/edgeguard-{api,ui,meta}: control + maintainer scripts
- deploy/systemd/edgeguard-api.service + edgeguard-scheduler.service
with hardening defaults
- Makefile: build / cross-compile (amd64+arm64) / deb / publish targets
- scripts/install.sh + scripts/apt-repo/build-package.sh stubs
32 lines
888 B
Desktop File
32 lines
888 B
Desktop File
[Unit]
|
|
Description=EdgeGuard Management API
|
|
Documentation=https://git.netcell-it.de/projekte/edgeguard-native
|
|
After=network-online.target postgresql.service keydb-server.service
|
|
Wants=network-online.target keydb-server.service
|
|
Requires=postgresql.service
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=edgeguard
|
|
Group=edgeguard
|
|
ExecStart=/usr/bin/edgeguard-api
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
|
|
# Hardening — API needs to shell out to `sudo systemctl reload haproxy/angie/squid`
|
|
# after writing configs. Sandboxing stays strict around fs/net.
|
|
NoNewPrivileges=false
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
SystemCallFilter=@system-service
|
|
ReadWritePaths=/etc/edgeguard /var/lib/edgeguard /var/log/edgeguard
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|