feat: add systemd feature

roles/peertube/tasks/main.yml

@@ -73,3 +73,16 @@
       bash -lic "yarn install --production --pure-lockfile"
     chdir: "{{ peertube_home }}/peertube-latest"
   changed_when: true
+
+- name: Install services
+  ansible.builtin.template:
+    src: peertube.service.j2
+    dest: /etc/systemd/system/peertube.service
+    mode: 0644
+
+- name: Run services
+  ansible.builtin.systemd:
+    name: peertube.service
+    daemon_reload: true
+    state: restarted  # restart everytime, this is simpler
+    enabled: true

roles/peertube/templates/peertube.service.j2

@@ -0,0 +1,33 @@
+[Unit]
+Description=PeerTube daemon
+After=network.target postgresql.service redis-server.service
+
+[Service]
+Type=simple
+Environment=NODE_ENV=production
+Environment=NODE_CONFIG_DIR={{ peertube_home }}/config
+User=peertube
+Group=peertube
+ExecStart=/usr/bin/node dist/server
+WorkingDirectory={{ peertube_home }}/peertube-latest
+SyslogIdentifier=peertube
+Restart=always
+
+; Some security directives.
+; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
+ProtectSystem=full
+; Sets up a new /dev mount for the process and only adds API pseudo devices
+; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
+; by default because it may not work on devices like the Raspberry Pi.
+PrivateDevices=false
+; Ensures that the service process and all its children can never gain new
+; privileges through execve().
+NoNewPrivileges=true
+; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
+; by this unit. Make sure that you do not depend on data inside these folders.
+ProtectHome=true
+; Drops the sys admin capability from the daemon.
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+
+[Install]
+WantedBy=multi-user.target