From 6f780c699514d9cd77d1f2f1ad9d7ae567cafb10 Mon Sep 17 00:00:00 2001 From: Cory Francis Myers Date: Wed, 24 May 2023 12:46:07 -0700 Subject: [PATCH] feat: add systemd timer to run "manage.py remove-pending-sources" daily --- .../system/securedrop-remove-pending-sources.service | 12 ++++++++++++ .../system/securedrop-remove-pending-sources.timer | 9 +++++++++ securedrop/debian/rules | 8 +++++--- 3 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 securedrop/debian/app-code/lib/systemd/system/securedrop-remove-pending-sources.service create mode 100644 securedrop/debian/app-code/lib/systemd/system/securedrop-remove-pending-sources.timer diff --git a/securedrop/debian/app-code/lib/systemd/system/securedrop-remove-pending-sources.service b/securedrop/debian/app-code/lib/systemd/system/securedrop-remove-pending-sources.service new file mode 100644 index 0000000000..3a00e3ee41 --- /dev/null +++ b/securedrop/debian/app-code/lib/systemd/system/securedrop-remove-pending-sources.service @@ -0,0 +1,12 @@ +[Unit] +Description=job to remove pending SecureDrop sources daily + +[Service] +ExecStart=/var/www/securedrop/manage.py remove-pending-sources +PrivateDevices=yes +PrivateTmp=yes +ProtectSystem=full +ReadOnlyDirectories=/ +ReadWriteDirectories=/var/lib/securedrop +User=www-data +WorkingDirectory=/var/www/securedrop diff --git a/securedrop/debian/app-code/lib/systemd/system/securedrop-remove-pending-sources.timer b/securedrop/debian/app-code/lib/systemd/system/securedrop-remove-pending-sources.timer new file mode 100644 index 0000000000..7a7c8961e5 --- /dev/null +++ b/securedrop/debian/app-code/lib/systemd/system/securedrop-remove-pending-sources.timer @@ -0,0 +1,9 @@ +[Unit] +Description=remove pending SecureDrop sources daily + +[Timer] +OnCalendar=daily +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/securedrop/debian/rules b/securedrop/debian/rules index 4fcfec137d..4ca1c92280 100755 --- a/securedrop/debian/rules +++ b/securedrop/debian/rules @@ -62,12 +62,13 @@ override_dh_gencontrol: override_dh_installinit: dh_installinit --noscripts -# We want to enable all systemd units except the two that are run by timers, -# so we have to mark those two as --no-enable first, then the final -# `dh_systemd_enable` invocation will enable the rest +# We want to enable all systemd units except those that are run by timers, so +# we have to mark those as --no-enable first, then the final +# `dh_systemd_enable` invocation will enable the rest. override_dh_systemd_enable: dh_systemd_enable --no-enable securedrop-submissions-today.service dh_systemd_enable --no-enable securedrop-clean-tmp.service + dh_systemd_enable --no-enable securedrop-remove-pending-sources.service dh_systemd_enable # This is basically the same as the enable stanza above, just whether the @@ -75,4 +76,5 @@ override_dh_systemd_enable: override_dh_systemd_start: dh_systemd_start --no-start securedrop-submissions-today.service dh_systemd_start --no-start securedrop-clean-tmp.service + dh_systemd_start --no-start securedrop-remove-pending-sources.service dh_systemd_start