challenger

OAuth 2.0-based authentication service that validates user can receive messages at a certain address
Log | Files | Refs | Submodules | README | LICENSE
commit b9091f384469d3098c0e95f5a896cdca0f6cb080
parent 75aacbd1d9e497cc83f3efe4e230f5d413c928c2
Author: Christian Grothoff <christian@grothoff.org>
Date:   Sun,  7 Sep 2025 10:40:20 +0200

add socket activation (fixes #9464)

Diffstat:

Mdebian/challenger-httpd.service | 14+++++++++++++-


Adebian/challenger-httpd.socket | 14++++++++++++++


2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/debian/challenger-httpd.service b/debian/challenger-httpd.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=Challenger backend
 After=postgresql.service network.target
+Requires=challenger-httpd.socket
 
 [Service]
 User=challenger-httpd
@@ -8,11 +9,22 @@ Type=simple
 Restart=always
 RestartMode=direct
 RestartSec=1s
-RestartPreventExitStatus=2 3 4 5 6 9
+RestartPreventExitStatus=9
+
+# Disable the service if more than 5 restarts are encountered within 5s.
+# These are usually the systemd defaults, but can be overwritten, thus we set
+# them here explicitly, as the exchange code assumes StartLimitInterval
+# to be >=5s.
+StartLimitBurst=5
+StartLimitInterval=5s
+
 RuntimeMaxSec=3600s
 ExecStart=/usr/bin/challenger-httpd -c /etc/challenger/challenger.conf -L INFO
 StandardOutput=journal
 StandardError=journal
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
 
 [Install]
 WantedBy=multi-user.target
diff --git a/debian/challenger-httpd.socket b/debian/challenger-httpd.socket
@@ -0,0 +1,14 @@
+[Unit]
+Description=Challenger Socket
+PartOf=challenger-httpd.service
+
+[Socket]
+ListenStream=/run/challenger/httpd/challenger-http.sock
+Accept=no
+Service=challenger-httpd.service
+SocketUser=challenger-httpd
+SocketGroup=www-data
+SocketMode=0660
+
+[Install]
+WantedBy=sockets.target