Services restart script

drcrazy · drcrazy · commit 40fc556c8c6f · 2026-04-28T20:40:36.000+03:00
diff --git a/deploy/nginx/nginx-frontend-standalone.conf b/deploy/nginx/nginx-frontend-standalone.conf
@@ -8,9 +8,23 @@
 #   # or merge this server block into /etc/nginx and use the stock unit instead.
 #   chgrp -R nginx /var/www/Node-Script/artifacts/game-client/dist/public
 #   chmod -R g+rX    /var/www/Node-Script/artifacts/game-client/dist/public
-#   # SELinux: setsebool -P httpd_can_network_connect 1
+#   # SELinux (proxy to Node): setsebool -P httpd_can_network_connect 1
 #
 # Edit paths below if the deploy root is not /var/www/Node-Script
+#
+# If root= is under /home/... and Nginx logs "Permission denied" (13) for index.html:
+#   1) Path + execute bits: the nginx worker (user "nginx") must be able to *traverse* every
+#      directory from / down to dist/public. A home dir of mode 700 (e.g. /home/adept) blocks
+#      everyone but the owner — chgrp on dist/public is not enough. Fix one of:
+#        - Best: move the app to e.g. /var/www/... (see WorkingDirectory in game-api.service).
+#        - Or:  usermod -aG adept nginx   and   chmod 750 /home/adept
+#            (or at least o+x on /home, /home/adept, and any parent that is not group-readable;
+#            group membership + 750 is cleaner than 711 on home for everyone).
+#   2) SELinux: if getenforce is Enforcing, files may be home_t. Either:
+#        - semanage fcontext -a -t httpd_sys_content_t '/home/adept/node_app/artifacts/game-client/dist/public(/.*)?'
+#          restorecon -RFv .../public
+#        - or, if policy allows: setsebool -P httpd_read_user_content 1
+#          and/or: setsebool -P httpd_enable_homedirs 1
 
 user nginx;
 worker_processes auto;
diff --git a/deploy/restart-workspace.sh b/deploy/restart-workspace.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Restart workspace services after a deploy. Intended to run as root.
+#
+# One-time on the server:
+#   sudo install -m 755 -o root -g root deploy/restart-workspace.sh /usr/local/bin/restart-workspace.sh
+#
+# Sudoers for the CI/deploy user (use visudo), allow only this script, no password:
+#   deploy ALL=(ALL) NOPASSWD: /usr/local/bin/restart-workspace.sh
+#
+# GitHub Actions secret DEPLOY_COMMAND:
+#   sudo /usr/local/bin/restart-workspace.sh
+#
+# If you change systemd unit files under /etc/systemd/system/, run once on the server:
+#   sudo systemctl daemon-reload
+
+set -euo pipefail
+
+systemctl restart game-api
+systemctl reload game-frontend
