Harden API uptime with systemd ownership guard and watchdog

docs/DEPLOYMENT.md

@@ -13,6 +13,7 @@ Install:
 ```bash
 sudo apt update
 sudo apt install -y python3 nginx
+sudo useradd --system --create-home --shell /usr/sbin/nologin staysense || true
 ```
 
 ## 2. Code bereitstellen
@@ -21,6 +22,9 @@ sudo apt install -y python3 nginx
 sudo mkdir -p /opt/staysense
 sudo chown -R $USER:$USER /opt/staysense
 git clone <REPO_URL> /opt/staysense
+sudo mkdir -p /opt/staysense/data
+sudo chown -R staysense:staysense /opt/staysense/data
+sudo chmod 2775 /opt/staysense/data
 ```
 
 ## 3. Initialisierung
@@ -60,8 +64,11 @@ sudo systemctl status staysense-api.service
 ```bash
 sudo cp /opt/staysense/deploy/systemd/staysense-import.service /etc/systemd/system/
 sudo cp /opt/staysense/deploy/systemd/staysense-import.timer /etc/systemd/system/
+sudo cp /opt/staysense/deploy/systemd/staysense-watchdog.service /etc/systemd/system/
+sudo cp /opt/staysense/deploy/systemd/staysense-watchdog.timer /etc/systemd/system/
 sudo systemctl daemon-reload
 sudo systemctl enable --now staysense-import.timer
+sudo systemctl enable --now staysense-watchdog.timer
 sudo systemctl list-timers | grep staysense
 ```
 
@@ -99,4 +106,5 @@ sudo certbot --nginx -d staysense.example.com
 curl -s http://127.0.0.1:8787/health
 sudo journalctl -u staysense-api.service -f
 sudo journalctl -u staysense-import.service -n 100
+sudo journalctl -u staysense-watchdog.service -n 50
 ```

docs/OPERATIONS.md

@@ -34,6 +34,21 @@ Health check:
 curl -s http://127.0.0.1:8787/health
 ```
 
+Watchdog pruefen:
+
+```bash
+sudo systemctl status staysense-watchdog.timer --no-pager
+sudo journalctl -u staysense-watchdog.service -n 80 --no-pager
+```
+
+## DB Read-Only Sofortfix
+
+```bash
+sudo chown -R staysense:staysense /opt/staysense/data
+sudo chmod 2775 /opt/staysense/data
+sudo systemctl restart staysense-api.service
+```
+
 ## Backup
 
 ```bash

docs/wiki/Deployment.md

@@ -7,6 +7,7 @@ Zielplattform aktuell: Hetzner + CloudPanel + Nginx + systemd.
 - App-Code: `/opt/staysense`
 - API-Service: `staysense-api.service`
 - Import-Timer: `staysense-import.timer`
+- API-Watchdog: `staysense-watchdog.timer`
 - Frontend-Root: `/home/staysense-site/htdocs/staysense.vanityontour.de/`
 
 ## Rollout (vereinfacht)
@@ -17,12 +18,14 @@ git pull --ff-only
 rsync -a --delete /opt/staysense/src/ /home/staysense-site/htdocs/staysense.vanityontour.de/
 systemctl restart staysense-api.service
 nginx -t && systemctl reload nginx
+systemctl restart staysense-watchdog.timer
 ```
 
 ## Pflichtchecks
 
 ```bash
 systemctl is-active staysense-api.service
+systemctl is-active staysense-watchdog.timer
 curl -s -L https://staysense.vanityontour.de/api/health
 ```
 

docs/wiki/Operations-Runbook.md

@@ -5,6 +5,7 @@
 ```bash
 systemctl status staysense-api.service --no-pager
 systemctl status staysense-import.timer --no-pager
+systemctl status staysense-watchdog.timer --no-pager
 curl -s https://staysense.vanityontour.de/api/health
 ```
 
@@ -13,6 +14,7 @@ curl -s https://staysense.vanityontour.de/api/health
 ```bash
 journalctl -u staysense-api.service --no-pager -n 120
 journalctl -u staysense-import.service --no-pager -n 120
+journalctl -u staysense-watchdog.service --no-pager -n 120
 ```
 
 ## Häufige Fehlerbilder
@@ -25,6 +27,12 @@ journalctl -u staysense-import.service --no-pager -n 120
 - Datenverzeichnisrechte prüfen
 - Service-User und Besitzrechte prüfen
 
+```bash
+chown -R staysense:staysense /opt/staysense/data
+chmod 2775 /opt/staysense/data
+systemctl restart staysense-api.service
+```
+
 3. Importdaten veraltet
 - Timer-Status prüfen
 - Import-Service manuell starten