Add conservancy-www-db.service to repository, document Systemd services

TODO.md

@@ -1,6 +1,6 @@
 # To-do
 
-* consider running the /etc/systemd/system/conservancy-www-db.service on a timer so it doesn't require an Apache restart (and brief outage) - document this service too
+* consider running the /etc/systemd/system/conservancy-www-db.service on a timer so it doesn't require an Apache restart (and brief outage)
 * use `<detail>` elements for supporter page hidden sections, rather than complex jQuery - or consider Alpine.js
 * replace `internalNavigate` with inline flexbox layout
 * migrate to Django 4.2

systemd/README.md

@@ -1,12 +1,20 @@
-Install with:
+# SystemD services
+
+## Installing
+
+Install all SystemD services with:
 
     cp systemd/conservancy-www-*.{service,timer} /etc/systemd/system
     systemctl enable conservancy-www-cleanup.service
     systemctl start conservancy-www-cleanup.service
     systemctl enable conservancy-www-update.timer
     systemctl start conservancy-www-update.timer
+    systemctl enable conservancy-www-db.service
 
-Monitor with:
+
+##  Website updates
+
+Monitor the website update service with:
 
     systemctl list-timers --all
     journalctl --catalog --follow --unit conservancy-www-update.service
@@ -17,3 +25,10 @@ Updates will fail unless `/var/www/website` has a git upstream, so set that with
     git branch --set-upstream-to=upstream/master master
     
 Note that the update script does not run `migrate`.
+
+
+## Fundraiser/sustainer database updates
+
+The `conservancy-www-db.service` applies SQL updates to the website
+database. These include the fundraising total and sustainers to be publicly
+acknowledged.

systemd/conservancy-www-cleanup.service

@@ -1,3 +1,5 @@
+# Remove old Django login sessions.
+
 [Unit]
 Description=Cleanup Conservancy website
 Before=apache2.service

systemd/conservancy-www-db.service

@@ -0,0 +1,28 @@
+# Update the fundraiser total/sustainer list from an SQL file on Apache restart.
+
+[Unit]
+Description=Update Conservancy website database
+Before=apache2.service
+
+[Service]
+Type=oneshot
+User=www-data
+ExecStart=/usr/bin/sqlite3 -bail /var/lib/www/database/conservancy-website.sqlite3 ".timeout 30000" "BEGIN TRANSACTION;" ".read /home/debian/django-supporters-list.sql" "COMMIT;"
+
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
+CapabilityBoundingSet=
+NoNewPrivileges=true
+
+PrivateDevices=true
+PrivateNetwork=true
+PrivateTmp=true
+PrivateUsers=false
+ProtectControlGroups=true
+ProtectHome=read-only
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/var/lib/www/database
+
+[Install]
+WantedBy=apache2.service

systemd/conservancy-www-update.service

@@ -1,3 +1,5 @@
+# Run the website update script (see also: conservancy-www-update.timer).
+
 [Unit]
 Description=Update Conservancy website checkout
 

systemd/conservancy-www-update.sh

@@ -1,5 +1,10 @@
 #!/bin/sh
 
+# Pull in and apply Conservancy website updates from the git repository.
+#
+# This is intended to be run on a timer. Note that it does *not* restart the
+# Django application or run the migrate and collectstatic commands.
+
 set -e
 set -u
 set -x