Add production build optimizations to Vite configuration; set target, output directory, and minification options for improved performance
This commit is contained in:
Torsten Schulz (local)
135
timeclock.service
Normal file
135
timeclock.service
Normal file
@@ -0,0 +1,135 @@
|
||||
# Systemd Service für TimeClock v3 Backend
|
||||
# Installation:
|
||||
# sudo cp timeclock.service /etc/systemd/system/
|
||||
# sudo systemctl daemon-reload
|
||||
# sudo systemctl enable timeclock
|
||||
# sudo systemctl start timeclock
|
||||
#
|
||||
# Status prüfen:
|
||||
# sudo systemctl status timeclock
|
||||
#
|
||||
# Logs ansehen:
|
||||
# sudo journalctl -u timeclock -f
|
||||
|
||||
[Unit]
|
||||
Description=TimeClock v3 Backend API
|
||||
Documentation=https://github.com/yourusername/TimeClock
|
||||
After=network.target mysql.service mariadb.service
|
||||
Wants=mysql.service
|
||||
|
||||
[Service]
|
||||
# Service-Typ
|
||||
Type=simple
|
||||
|
||||
# User und Group
|
||||
User=www-data
|
||||
Group=www-data
|
||||
|
||||
# Arbeitsverzeichnis
|
||||
WorkingDirectory=/var/www/timeclock/backend
|
||||
|
||||
# Umgebungsvariablen
|
||||
Environment=NODE_ENV=production
|
||||
Environment=PATH=/usr/bin:/usr/local/bin
|
||||
EnvironmentFile=/var/www/timeclock/backend/.env
|
||||
|
||||
# Start-Befehl
|
||||
ExecStart=/usr/bin/node src/index.js
|
||||
|
||||
# Restart-Policy
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
|
||||
# Timeouts
|
||||
TimeoutStartSec=30s
|
||||
TimeoutStopSec=30s
|
||||
|
||||
# Logging
|
||||
StandardOutput=append:/var/log/timeclock/backend.log
|
||||
StandardError=append:/var/log/timeclock/backend.error.log
|
||||
SyslogIdentifier=timeclock
|
||||
|
||||
# Process Management
|
||||
KillMode=mixed
|
||||
KillSignal=SIGTERM
|
||||
|
||||
# Limits
|
||||
LimitNOFILE=65536
|
||||
LimitNPROC=4096
|
||||
|
||||
# =================================================================
|
||||
# Sicherheits-Härtung (Security Hardening)
|
||||
# =================================================================
|
||||
|
||||
# Verhindert Privilege Escalation
|
||||
NoNewPrivileges=true
|
||||
|
||||
# Privates /tmp Verzeichnis
|
||||
PrivateTmp=true
|
||||
|
||||
# Schützt bestimmte Kernel-Variablen
|
||||
ProtectKernelTunables=true
|
||||
|
||||
# Verhindert Laden von Kernel-Modulen
|
||||
ProtectKernelModules=true
|
||||
|
||||
# Schützt Kernel-Logs
|
||||
ProtectKernelLogs=true
|
||||
|
||||
# Verhindert Zugriff auf /proc
|
||||
ProtectProc=invisible
|
||||
|
||||
# Verhindert Zugriff auf /sys
|
||||
ProtectControlGroups=true
|
||||
|
||||
# Schützt Hostnamen
|
||||
ProtectHostname=true
|
||||
|
||||
# Macht /home, /root und /run/user read-only
|
||||
ProtectHome=true
|
||||
|
||||
# Macht das System teilweise read-only
|
||||
ProtectSystem=strict
|
||||
|
||||
# Erlaubt Schreibzugriff auf bestimmte Verzeichnisse
|
||||
ReadWritePaths=/var/www/timeclock/backend
|
||||
ReadWritePaths=/var/log/timeclock
|
||||
|
||||
# Verhindert Zugriff auf andere Benutzer
|
||||
PrivateUsers=false
|
||||
|
||||
# Verhindert neue Devices
|
||||
PrivateDevices=true
|
||||
|
||||
# Verhindert Zugriff auf Clock
|
||||
ProtectClock=true
|
||||
|
||||
# Verhindert Realtime-Scheduling
|
||||
RestrictRealtime=true
|
||||
|
||||
# Filtert gefährliche System-Calls
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallFilter=~@privileged @resources @obsolete
|
||||
|
||||
# Verhindert Nutzung bestimmter Namespaces
|
||||
RestrictNamespaces=true
|
||||
|
||||
# Verhindert SUID/SGID
|
||||
RestrictSUIDSGID=true
|
||||
|
||||
# Entfernt Capabilities
|
||||
CapabilityBoundingSet=
|
||||
AmbientCapabilities=
|
||||
|
||||
# Address Space Layout Randomization
|
||||
LockPersonality=true
|
||||
|
||||
# Verhindert Zugriff auf andere User-Sessions
|
||||
RemoveIPC=true
|
||||
|
||||
# Umask setzen
|
||||
UMask=0077
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
Reference in New Issue
Block a user