[Unit] Description=ThrillWiki Bulletproof Development Automation Documentation=man:thrillwiki-automation(8) After=network.target Wants=network.target Before=thrillwiki.service PartOf=thrillwiki.service [Service] Type=simple User=ubuntu Group=ubuntu [AWS-SECRET-REMOVED] [AWS-SECRET-REMOVED]s/vm/bulletproof-automation.sh ExecStop=/bin/kill -TERM $MAINPID ExecReload=/bin/kill -HUP $MAINPID Restart=always RestartSec=10 KillMode=mixed KillSignal=SIGTERM TimeoutStopSec=60 TimeoutStartSec=120 StartLimitIntervalSec=300 StartLimitBurst=3 # Environment variables - Load from file for security EnvironmentFile=-[AWS-SECRET-REMOVED]thrillwiki-automation***REMOVED*** Environment=PROJECT_DIR=/home/ubuntu/thrillwiki Environment=SERVICE_NAME=thrillwiki-automation Environment=GITHUB_REPO=origin Environment=GITHUB_BRANCH=main Environment=PULL_INTERVAL=300 Environment=HEALTH_CHECK_INTERVAL=60 Environment=STARTUP_TIMEOUT=120 Environment=RESTART_DELAY=10 Environment=LOG_DIR=/home/ubuntu/thrillwiki/logs Environment=MAX_LOG_SIZE=10485760 Environment=SERVER_HOST=0.0.0.0 Environment=SERVER_PORT=8000 Environment=PATH=/home/ubuntu/.local/bin:/home/ubuntu/.cargo/bin:/usr/local/bin:/usr/bin:/bin [AWS-SECRET-REMOVED]llwiki # Security settings - Enhanced hardening for automation script NoNewPrivileges=true PrivateTmp=true ProtectSystem=strict ProtectHome=true ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true RestrictSUIDSGID=true RestrictRealtime=true RestrictNamespaces=true LockPersonality=true MemoryDenyWriteExecute=false RemoveIPC=true # File system permissions - Allow access to necessary directories ReadWritePaths=/home/ubuntu/thrillwiki [AWS-SECRET-REMOVED]ogs [AWS-SECRET-REMOVED]edia [AWS-SECRET-REMOVED]taticfiles [AWS-SECRET-REMOVED]ploads ReadWritePaths=/home/ubuntu/.cache ReadWritePaths=/tmp ReadOnlyPaths=/home/ubuntu/.github-pat ReadOnlyPaths=/home/ubuntu/.ssh ReadOnlyPaths=/home/ubuntu/.local # Resource limits - Appropriate for automation script LimitNOFILE=65536 LimitNPROC=1024 MemoryMax=512M CPUQuota=50% TasksMax=256 # Timeouts WatchdogSec=300 # Logging configuration StandardOutput=journal StandardError=journal SyslogIdentifier=thrillwiki-automation SyslogFacility=daemon SyslogLevel=info SyslogLevelPrefix=true # Enhanced logging for debugging # Ensure logs are captured and rotated properly LogsDirectory=thrillwiki-automation LogsDirectoryMode=0755 StateDirectory=thrillwiki-automation StateDirectoryMode=0755 RuntimeDirectory=thrillwiki-automation RuntimeDirectoryMode=0755 # Capabilities - Minimal required capabilities CapabilityBoundingSet= AmbientCapabilities= PrivateDevices=true ProtectClock=true ProtectHostname=true [Install] WantedBy=multi-user.target Also=thrillwiki.service