feat(mqtt-bridge): add systemd service configuration for production deployments#157
Open
feat(mqtt-bridge): add systemd service configuration for production deployments#157
Conversation
…eployments Provides production-ready systemd service configuration following security best practices including sandboxing, resource limits, and proper logging integration. Includes comprehensive installation guide covering setup, management, troubleshooting, and security analysis.
- Include systemd directory in published npm package - Document npm global installation paths for systemd files - Add binary path verification and symlink instructions - Remove unsupported LOG_LEVEL environment variable - Add restart loop prevention (StartLimitBurst, StartLimitIntervalSec) Addresses Claude PR review feedback items #1, #4, #6, #7 and nice-to-have restart prevention.
Fixes three critical issues identified in comprehensive review: 1. ExecPaths compatibility with npm global installations - Changed from /usr/lib/node_modules to /usr/lib /usr/local/lib - Allows Node.js to execute code from standard npm installation paths - Fixes "Permission denied" errors on most Linux distributions 2. NPM path resolution for nvm/workspace environments - Replaced npm config get prefix with npm root -g - Added fallback to find via binary location for nvm users - Prevents ENOWORKSPACES errors in monorepo environments 3. Network address family restrictions - Added AF_UNIX to RestrictAddressFamilies - Allows Node.js IPC via Unix domain sockets - Prevents potential runtime failures in dependencies These fixes ensure compatibility with: - Standard npm installations (/usr/local) - nvm/n/fnm version managers - npm workspace environments - Node.js dependencies requiring Unix sockets
Replace ReadWritePaths with StateDirectory directive which automatically creates /var/lib/ya-modbus-bridge with correct ownership when the service starts. This simplifies installation by removing manual directory creation and ownership steps.
- Document minimum systemd version requirements (v235 min, v247+ recommended) - Fix useradd command to let StateDirectory handle directory creation - Add serial port permissions step for Modbus RTU/RS-485 users - Add explicit GitHub repository URL for manual file download - Renumber installation steps after adding new serial port section
- Add PrivateDevices=yes for additional device isolation - Extend ExecPaths to include /lib and /lib64 for broader distro compatibility - Add robust error handling to path detection with clear error messages - Add Node.js alternative for jq in troubleshooting section - Add configuration backup step before package updates
- Standardize boolean values to 'yes' (was mixing 'true' and 'yes') - Fix multiple instances section: use proper naming convention (-instance2 instead of @instance2) and add complete setup commands - Add symlink removal step to uninstallation section - Add MemoryLimit as cgroup v1 fallback for older systems
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #157 +/- ##
=======================================
Coverage 97.65% 97.65%
=======================================
Files 63 63
Lines 2348 2348
Branches 564 564
=======================================
Hits 2293 2293
Misses 13 13
Partials 42 42 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds comprehensive systemd service configuration for running ya-modbus-bridge as a production service on Linux systems:
Security Features
ProtectSystem=strict,PrivateTmp,ProtectHome,PrivateDevicesNoNewPrivileges=yes@system-serviceallowlistTest plan
npm pack)systemd-analyze security ya-modbus-bridge.serviceproduces good scoresystemctl stop