systemd: Replace cron infrastructure.

cron/cron.d/website-update

@@ -1 +0,0 @@
-*/5 * * * * www $HOME/website/cron/scripts/website-update.sh

cron/cron.monthly/django-cleanup

@@ -1,20 +0,0 @@
-#!/bin/sh
-# Copyright (C) 2008, Jim Garrison
-
-# Permission to use, copy, modify, distribute and/or distributed modified
-# versions of this software for any purpose with or without fee is hereby
-# granted, provided that the above copyright notice and this permission
-# notice appear in all copies.
-
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-# IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-# Clean old data from the database (expired admin sessions)
-# (see http://www.djangoproject.com/documentation/django-admin/)
-
-python /var/www/conservancy/manage.py cleanup

systemd/conservancy-www-cleanup.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=Cleanup Conservancy website
+Before=apache2.service
+
+[Service]
+Type=oneshot
+User=www
+ExecStart=/usr/bin/python /var/www/website/www/manage.py clearsessions --verbosity 0
+
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
+CapabilityBoundingSet=
+NoNewPrivileges=true
+
+PrivateDevices=true
+PrivateNetwork=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/var/lib/www/database
+
+[Install]
+WantedBy=apache2.service

systemd/conservancy-www-update.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=Update Conservancy website checkout
+
+[Service]
+Type=oneshot
+User=www
+WorkingDirectory=/var/www/website
+ExecStart=/var/www/website/systemd/conservancy-www-update.sh
+
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
+CapabilityBoundingSet=
+NoNewPrivileges=true
+
+PrivateDevices=true
+PrivateNetwork=false
+PrivateTmp=true
+PrivateUsers=false
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/var/www/website

systemd/conservancy-www-update.timer

@@ -0,0 +1,8 @@
+[Unit]
+Description=Update Conservancy website checkout
+
+[Timer]
+OnCalendar=*:0/5
+
+[Install]
+WantedBy=timers.target