c0a66add46
Source-of-truth had drifted from /etc/systemd/system/breakglass-sync.service on the deployed VM (installed had 8h timeout, source had 1h). My hot-patch on 2026-05-15 raised the running unit to 16h + 4G after the service kept timing out at 8h during full-fleet sync runs (large LFS objects + GitHub intermittent failures across ~hundreds of repos). Realigning source to match installed values + headroom for slow days. Current run after the bump: Memory peak 1.0G against the new 4G ceiling (vs would-have-OOMed at the old 1G limit).
33 lines
852 B
Desktop File
33 lines
852 B
Desktop File
[Unit]
|
|
Description=Breakglass FOSS Git Mirror — sync run
|
|
Documentation=https://git.mineracks.com/mineracks/foss_breakglass_git_mirror
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
User=breakglass
|
|
Group=breakglass
|
|
EnvironmentFile=/etc/breakglass/mirror.env
|
|
ExecStart=/opt/breakglass/scripts/breakglass-sync.sh
|
|
|
|
# Hardening
|
|
NoNewPrivileges=true
|
|
ProtectSystem=strict
|
|
ProtectHome=true
|
|
ReadWritePaths=/var/lib/breakglass /var/log/breakglass /var/lib/breakglass/releases
|
|
# IMPORTANT: The service cannot delete from /var/lib/breakglass/audit
|
|
# due to the append-only filesystem attribute set during install.
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
|
|
# Resource limits — be a good neighbour
|
|
MemoryMax=4G
|
|
CPUQuota=80%
|
|
|
|
# Allow long runs (large repos can take a while)
|
|
TimeoutStartSec=57600
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|