We went to a restaurant with my sister and her husband after a 2h walk along the river. They went home and I put the bread in the oven and now I’m ready for some laptop time.
I wrote a bot that connects to Discord last year. It’s a nice bot. It keeps facts for channel, it keeps timestamped notes per channel, it also connects to IRC (all of which we don’t use) and it rolls dice (which is what we use).
I wrote a Discord bot that may or may not help us in our multi-referee campaign … it allows us to keep accurate time records! You know how important those are. 😆 – 2022-06-20 Discord Bot
Sadly, it sometimes drops offline. Why? Or better yet: why doesn’t systemd restart it?
This is the service definition I use:
[Unit] Description=Norn After=network.target [Install] WantedBy=multi-user.target [Service] Type=simple WorkingDirectory=/home/norn/ Restart=always User=norn MemoryMax=100M MemoryHigh=120M ExecStart=/home/alex/perl5/perlbrew/perls/perl-5.32.0/bin/perl /home/norn/norn # (man "systemd.exec") ReadWritePaths=/home/norn ProtectHostname=yes RestrictSUIDSGID=yes UMask=0077 RemoveIPC=yes MemoryDenyWriteExecute=yes # Sandboxing options to harden security # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html NoNewPrivileges=yes PrivateTmp=yes PrivateDevices=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes DevicePolicy=closed ProtectSystem=full ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes LockPersonality=yes SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
Hm. Gotta think about this.
#Discord #Administration
(Please contact me if you want to remove your comment.)
⁂
I think the problem was that I had just this symlink:
/etc/systemd/system/norn.service → /home/norn/norn.service
What I was missing was this:
/etc/systemd/system/multi-user.target.wants/norn.service → /home/norn/norn.service
When I ran the following, I got no hit:
systemctl show --property "Wants" multi-user.target | fmt -10 | grep norn
What I did:
ln -s /home/norn/norn.service /etc/systemd/system/multi-user.target.wants/ systemctl daemon-reload
I hope that’s it. I think this might have been it because I recently rebooted the server after a kernel upgrade.
– Alex 2023-02-04 21:00 UTC