From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-3.6 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NUMERIC_HTTP_ADDR, T_SCC_BODY_TEXT_LINE,WEIRD_PORT shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 0BA651F619 for ; Thu, 11 Aug 2022 20:13:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=80x24.org; s=selector1; t=1660248792; bh=LiifFs4LBDAGYOqNB3gGO17fi0wQFELfDbFuk0nWfQs=; h=From:To:Subject:Date:In-Reply-To:References:From; b=NYY/tud7lYr/9cntChRA0EGVAqFkKEQ1/5vYatL3GS3vGH9PanfoLBCZ0XlVSMK/P KuRgmsrWVmdB3LjVHXHGY/gO1lgf7993apSrnCOMj2bmZtFvyB9YlveVJ/WFyLACwe d+2yD5O/NGjyb3UpvCe/wyr+gSj2cjiMdeWS9Q+o= From: Eric Wong To: meta@public-inbox.org Subject: [PATCH 3/4] examples: add systemd files for -netd Date: Thu, 11 Aug 2022 20:13:10 +0000 Message-Id: <20220811201311.21922-4-e@80x24.org> In-Reply-To: <20220811201311.21922-1-e@80x24.org> References: <20220811201311.21922-1-e@80x24.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit List-Id: It's important show that a single systemd service and socket file can replace all other read-only daemons for ease-of-management. --- MANIFEST | 2 + examples/public-inbox-httpd.socket | 3 ++ examples/public-inbox-httpd@.service | 3 ++ examples/public-inbox-imapd.socket | 3 ++ examples/public-inbox-imapd@.service | 3 ++ examples/public-inbox-netd.socket | 45 +++++++++++++++++++++ examples/public-inbox-netd@.service | 60 ++++++++++++++++++++++++++++ examples/public-inbox-nntpd.socket | 3 ++ examples/public-inbox-nntpd@.service | 3 ++ 9 files changed, 125 insertions(+) create mode 100644 examples/public-inbox-netd.socket create mode 100644 examples/public-inbox-netd@.service diff --git a/MANIFEST b/MANIFEST index 9900b776..cc0a9a4c 100644 --- a/MANIFEST +++ b/MANIFEST @@ -136,6 +136,8 @@ examples/public-inbox-httpd.socket examples/public-inbox-httpd@.service examples/public-inbox-imapd.socket examples/public-inbox-imapd@.service +examples/public-inbox-netd.socket +examples/public-inbox-netd@.service examples/public-inbox-nntpd.socket examples/public-inbox-nntpd@.service examples/public-inbox-watch.service diff --git a/examples/public-inbox-httpd.socket b/examples/public-inbox-httpd.socket index 1a1ed735..3a6e4432 100644 --- a/examples/public-inbox-httpd.socket +++ b/examples/public-inbox-httpd.socket @@ -1,4 +1,7 @@ # ==> /etc/systemd/system/public-inbox-httpd.socket <== +# Consider looking at public-inbox-netd.socket instead of this file +# to simplify management when serving multiple protocols. + [Unit] Description = public-inbox-httpd socket diff --git a/examples/public-inbox-httpd@.service b/examples/public-inbox-httpd@.service index 147f7c6d..73731533 100644 --- a/examples/public-inbox-httpd@.service +++ b/examples/public-inbox-httpd@.service @@ -1,4 +1,7 @@ # ==> /etc/systemd/system/public-inbox-httpd@.service <== +# Consider looking at public-inbox-netd@.service instead of this file +# to simplify management when serving multiple protocols. +# # Since SIGUSR2 upgrades do not work under systemd, this service file # allows starting two simultaneous services during upgrade time # (e.g. public-inbox-httpd@1 public-inbox-httpd@2) with the intention diff --git a/examples/public-inbox-imapd.socket b/examples/public-inbox-imapd.socket index c3c55ea1..22ce16fb 100644 --- a/examples/public-inbox-imapd.socket +++ b/examples/public-inbox-imapd.socket @@ -1,4 +1,7 @@ # ==> /etc/systemd/system/public-inbox-imapd.socket <== +# Consider looking at public-inbox-netd.socket instead of this file +# to simplify management when serving multiple protocols. +# # This contains 5 sockets for an public-inbox-imapd instance. # The TCP ports are well-known ports registered in /etc/services. # The /run/imapd.onion.sock entry is meant for the Tor hidden service diff --git a/examples/public-inbox-imapd@.service b/examples/public-inbox-imapd@.service index f7428d85..300019a8 100644 --- a/examples/public-inbox-imapd@.service +++ b/examples/public-inbox-imapd@.service @@ -1,4 +1,7 @@ # ==> /etc/systemd/system/public-inbox-imapd@.service <== +# Consider looking at public-inbox-netd@.service instead of this file +# to simplify management when serving multiple protocols. +# # Since SIGUSR2 upgrades do not work under systemd, this service file # allows starting two simultaneous services during upgrade time # (e.g. public-inbox-imapd@1 public-inbox-imapd@2) with the intention diff --git a/examples/public-inbox-netd.socket b/examples/public-inbox-netd.socket new file mode 100644 index 00000000..9a19602e --- /dev/null +++ b/examples/public-inbox-netd.socket @@ -0,0 +1,45 @@ +# ==> /etc/systemd/system/public-inbox-netd.socket <== +# This contains all the services that public-inbox-netd can run; +# allowing it to replace (or run in parallel to) any existing -httpd, +# -imapd, -nntpd, or -pop3d instances. +# +# The TCP ports are well-known ports registered in /etc/services. +# The /run/*.sock entries are meant for the Tor hidden service +# enabled by the following lines in the torrc(5) file: +# HiddenServicePort 110 unix:/run/pop3.sock +# HiddenServicePort 119 unix:/run/nntp.sock +# HiddenServicePort 143 unix:/run/imap.sock +[Unit] +Description = public-inbox-netd sockets + +[Socket] +# for tor (see torrc(5)) +ListenStream = /run/imap.sock +ListenStream = /run/pop3.sock +ListenStream = /run/nntp.sock + +# this is for varnish: +ListenStream = 127.0.0.1:280 + +# public facing +ListenStream = 0.0.0.0:110 +ListenStream = 0.0.0.0:119 +ListenStream = 0.0.0.0:143 +ListenStream = 0.0.0.0:563 +ListenStream = 0.0.0.0:993 +ListenStream = 0.0.0.0:995 + +# Separating IPv4 from IPv6 listeners makes for nicer output +# of IPv4 addresses in various reporting/monitoring tools +BindIPv6Only = ipv6-only +ListenStream = [::]:110 +ListenStream = [::]:119 +ListenStream = [::]:143 +ListenStream = [::]:563 +ListenStream = [::]:993 +ListenStream = [::]:995 + +Service = public-inbox-netd@1.service + +[Install] +WantedBy = sockets.target diff --git a/examples/public-inbox-netd@.service b/examples/public-inbox-netd@.service new file mode 100644 index 00000000..de5feea6 --- /dev/null +++ b/examples/public-inbox-netd@.service @@ -0,0 +1,60 @@ +# ==> /etc/systemd/system/public-inbox-netd@.service <== +# Since SIGUSR2 upgrades do not work under systemd, this service file +# allows starting two simultaneous services during upgrade time +# (e.g. public-inbox-netd@1 public-inbox-netd@2) with the intention +# that they take turns running in-between upgrades. This should +# allow upgrading without downtime. +# For servers expecting visitors from multiple timezones, TZ=UTC +# is needed to ensure a consistent approxidate experience with search. +[Unit] +Description = public-inbox-netd server %i +Wants = public-inbox-netd.socket +After = public-inbox-netd.socket + +[Service] +Environment = PI_CONFIG=/home/pi/.public-inbox/config \ +PATH=/usr/local/bin:/usr/bin:/bin \ +TZ=UTC \ +PERL_INLINE_DIRECTORY=/tmp/.netd-inline + +LimitNOFILE = 30000 +LimitCORE = infinity +ExecStartPre = /bin/mkdir -p -m 1777 /tmp/.netd-inline + +# The '-l' args below map each socket in public-inbox-netd.socket to +# the appropriate IANA service name: +ExecStart = /usr/local/bin/public-inbox-netd -W0 \ +-1 /var/log/netd/stdout.out.log \ +--cert /etc/ssl/certs/news.example.com.pem \ +--key /etc/ssl/private/news.example.com.key +-l imap:///run/imap.sock?out=/var/log/netd/imap.out,err=/var/log/netd/imap.err \ +-l nntp:///run/nntp.sock?out=/var/log/netd/nntp.out,err=/var/log/netd/nntp.err \ +-l pop3:///run/pop3.sock?out=/var/log/netd/pop3.out,err=/var/log/netd/pop3.err \ +-l imap://0.0.0.0/?out=/var/log/netd/imap.out,err=/var/log/netd/imap.err \ +-l nntp://0.0.0.0/?out=/var/log/netd/nntp.out,err=/var/log/netd/nntp.err \ +-l pop3://0.0.0.0/?out=/var/log/netd/pop3.out,err=/var/log/netd/pop3.err \ +-l imap://[::]/?out=/var/log/netd/imap.out,err=/var/log/netd/imap.err \ +-l nntp://[::]/?out=/var/log/netd/nntp.out,err=/var/log/netd/nntp.err \ +-l pop3://[::]/?out=/var/log/netd/pop3.out,err=/var/log/netd/pop3.err \ +-l imaps://0.0.0.0/?out=/var/log/netd/imap.out,err=/var/log/netd/imap.err \ +-l nntps://0.0.0.0/?out=/var/log/netd/nntp.out,err=/var/log/netd/nntp.err \ +-l pop3s://0.0.0.0/?out=/var/log/netd/pop3.out,err=/var/log/netd/pop3.err \ +-l imaps://[::]/?out=/var/log/netd/imap.out,err=/var/log/netd/imap.err \ +-l nntps://[::]/?out=/var/log/netd/nntp.out,err=/var/log/netd/nntp.err \ +-l pop3s://[::]/?out=/var/log/netd/pop3.out,err=/var/log/netd/pop3.err \ +-l http://127.0.0.1:280/?psgi=/etc/public.psgi,err=/var/log/netd/http.err + +# NonBlocking is REQUIRED to avoid a race condition if running +# simultaneous services +NonBlocking = true + +Sockets = public-inbox-netd.socket +KillSignal = SIGQUIT +User = news +Group = ssl-cert +ExecReload = /bin/kill -HUP $MAINPID +TimeoutStopSec = 30 +KillMode = process + +[Install] +WantedBy = multi-user.target diff --git a/examples/public-inbox-nntpd.socket b/examples/public-inbox-nntpd.socket index 0a3ccb2f..10335d8d 100644 --- a/examples/public-inbox-nntpd.socket +++ b/examples/public-inbox-nntpd.socket @@ -1,4 +1,7 @@ # ==> /etc/systemd/system/public-inbox-nntpd.socket <== +# Consider looking at public-inbox-netd.socket instead of this file +# to simplify management when serving multiple protocols. +# # This contains 5 sockets for an public-inbox-nntpd instance. # The TCP ports are well-known ports registered in /etc/services. # The /run/nntpd.onion.sock entry is meant for the Tor hidden service diff --git a/examples/public-inbox-nntpd@.service b/examples/public-inbox-nntpd@.service index d6aea067..56e1cc8f 100644 --- a/examples/public-inbox-nntpd@.service +++ b/examples/public-inbox-nntpd@.service @@ -1,4 +1,7 @@ # ==> /etc/systemd/system/public-inbox-nntpd@.service <== +# Consider looking at public-inbox-netd@.service instead of this file +# to simplify management when serving multiple protocols. +# # Since SIGUSR2 upgrades do not work under systemd, this service file # allows starting two simultaneous services during upgrade time # (e.g. public-inbox-nntpd@1 public-inbox-nntpd@2) with the intention