Harden API uptime with systemd ownership guard and watchdog

deploy/systemd/staysense-api.service

@@ -5,11 +5,15 @@ Wants=network-online.target
 
 [Service]
 Type=simple
-User=www-data
-Group=www-data
+User=staysense
+Group=staysense
 WorkingDirectory=/opt/staysense/backend
 Environment=STAYSENSE_SERVER_SALT=CHANGE_ME
 Environment=STAYSENSE_SIGNAL_COOLDOWN_HOURS=24
+UMask=0002
+PermissionsStartOnly=true
+ExecStartPre=/usr/bin/install -d -o staysense -g staysense -m 2775 /opt/staysense/data
+ExecStartPre=/bin/sh -c '/usr/bin/chown -f staysense:staysense /opt/staysense/data/staysense.db /opt/staysense/data/staysense.db-wal /opt/staysense/data/staysense.db-shm || true'
 ExecStart=/usr/bin/python3 /opt/staysense/backend/server.py
 Restart=always
 RestartSec=3

deploy/systemd/staysense-import.service

@@ -5,7 +5,8 @@ Wants=network-online.target
 
 [Service]
 Type=oneshot
-User=www-data
-Group=www-data
+User=staysense
+Group=staysense
 WorkingDirectory=/opt/staysense/backend
+UMask=0002
 ExecStart=/usr/bin/python3 /opt/staysense/backend/run_import_jobs.py --config /opt/staysense/docs/open_data_sources_nrw_live.json --prune-legacy

deploy/systemd/staysense-watchdog.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=StaySense API Health Watchdog
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/env bash /opt/staysense/deploy/scripts/staysense-watchdog.sh

deploy/systemd/staysense-watchdog.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Run StaySense API Watchdog every minute
+
+[Timer]
+OnBootSec=90s
+OnUnitActiveSec=60s
+Unit=staysense-watchdog.service
+
+[Install]
+WantedBy=timers.target