core/manage-your-printer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FIN INIT

Browse Source
This commit is contained in:
Till Tomczak
2025-06-04 10:03:22 +02:00
commit 785a2b6134
14182 changed files with 1764617 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
systemd/kiosk-watchdog-python.service Normal file
View File

@@ -0,0 +1,53 @@
[Unit]
Description=MYP Kiosk Watchdog Service - Python-basierte intelligente Überwachung
Documentation=https://github.com/MYP-Druckerverwaltung
After=multi-user.target myp-https.service
Wants=myp-https.service
[Service]
Type=simple
User=root
Restart=always
RestartSec=30
TimeoutStartSec=60
TimeoutStopSec=30
# Python-basierter Watchdog mit erweiterten Features
WorkingDirectory=/opt/myp
ExecStartPre=/usr/bin/python3 -c "import psutil, requests; print('Python-Dependencies verfügbar')"
ExecStart=/usr/bin/python3 /opt/myp/utils/watchdog_manager.py --app-dir /opt/myp --daemon
# Umgebungsvariablen für Python-Watchdog
Environment=PYTHONPATH=/opt/myp
Environment=PYTHONUNBUFFERED=1
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Environment=DISPLAY=:0
Environment=SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
Environment=LC_ALL=C.UTF-8
Environment=LANG=C.UTF-8
# Logging-Konfiguration
StandardOutput=journal
StandardError=journal
SyslogIdentifier=myp-watchdog-python
# Sicherheitseinstellungen
NoNewPrivileges=false
PrivateTmp=false
ProtectSystem=strict
ReadWritePaths=/var/log
ReadWritePaths=/opt/myp
ReadWritePaths=/home/kiosk
ReadWritePaths=/proc/sys/vm
ReadWritePaths=/tmp
# Resource-Limits für Python-Prozess
MemoryMax=512M
CPUQuota=50%
# Restart-Verhalten bei Fehlern
StartLimitBurst=5
StartLimitInterval=300
[Install]
WantedBy=multi-user.target

205
systemd/kiosk-watchdog.service Normal file
View File

@@ -0,0 +1,205 @@
[Unit]
Description=MYP Kiosk Watchdog Service - Intelligente Überwachung für HTTPS Backend und Kiosk-Browser
Documentation=https://github.com/MYP-Druckerverwaltung
After=multi-user.target myp-https.service
Wants=myp-https.service
[Service]
Type=simple
User=root
Restart=always
RestartSec=30
TimeoutStartSec=60
TimeoutStopSec=30
# Intelligentes Watchdog-Skript mit modularer Struktur
ExecStart=/bin/bash -c '\
# === KONFIGURATION === \
readonly HTTPS_SERVICE="myp-https" \
readonly KIOSK_SERVICE="myp-kiosk" \
readonly KIOSK_USER="kiosk" \
readonly HTTPS_URL="https://localhost:443" \
readonly APP_DIR="/opt/myp" \
readonly LOG_FILE="/var/log/kiosk-watchdog.log" \
readonly CHECK_INTERVAL=30 \
readonly HTTPS_TIMEOUT=10 \
readonly RESTART_DELAY=15 \
readonly MAX_MEMORY_PERCENT=85 \
readonly CERT_EXPIRE_DAYS=7 \
\
# === LOGGING-FUNKTIONEN === \
log_info() { echo "$(date "+%Y-%m-%d %H:%M:%S") [INFO] $1" >> "$LOG_FILE"; } \
log_warn() { echo "$(date "+%Y-%m-%d %H:%M:%S") [WARN] $1" >> "$LOG_FILE"; } \
log_error() { echo "$(date "+%Y-%m-%d %H:%M:%S") [ERROR] $1" >> "$LOG_FILE"; } \
\
# === HILFSFUNKTIONEN === \
is_service_active() { systemctl is-active --quiet "$1"; } \
is_service_enabled() { systemctl is-enabled --quiet "$1"; } \
restart_service() { \
log_info "Starte Service neu: $1"; \
systemctl restart "$1" && sleep "$RESTART_DELAY" || log_error "Service-Neustart fehlgeschlagen: $1"; \
} \
\
check_https_connectivity() { \
curl -k -s --connect-timeout "$HTTPS_TIMEOUT" --max-time "$HTTPS_TIMEOUT" "$HTTPS_URL" >/dev/null 2>&1; \
} \
\
check_ssl_certificate() { \
local cert_file="$APP_DIR/certs/localhost/localhost.crt" \
[ -f "$cert_file" ] && openssl x509 -in "$cert_file" -noout -checkend $((86400 * CERT_EXPIRE_DAYS)) >/dev/null 2>&1; \
} \
\
regenerate_ssl_certificate() { \
log_warn "Regeneriere SSL-Zertifikat..."; \
if python3 -c "import sys; sys.path.insert(0, \"$APP_DIR\"); from utils.ssl_config import ensure_ssl_certificates; ensure_ssl_certificates(\"$APP_DIR\", True)" 2>/dev/null; then \
log_info "SSL-Zertifikat erfolgreich regeneriert"; \
restart_service "$HTTPS_SERVICE"; \
else \
log_error "SSL-Zertifikat-Regenerierung fehlgeschlagen"; \
fi \
} \
\
check_kiosk_user_session() { \
pgrep -u "$KIOSK_USER" >/dev/null 2>&1; \
} \
\
check_chromium_process() { \
pgrep -u "$KIOSK_USER" -f "chromium.*kiosk" >/dev/null 2>&1; \
} \
\
check_x_server() { \
pgrep -f "X.*:0" >/dev/null 2>&1; \
} \
\
check_display_availability() { \
[ -n "$(DISPLAY=:0 xdpyinfo 2>/dev/null)" ]; \
} \
\
get_memory_usage() { \
free | awk "/^Mem:/ {printf \"%.1f\", \$3/\$2 * 100.0}"; \
} \
\
cleanup_system_resources() { \
log_info "Bereinige Systemressourcen (Speichernutzung: $(get_memory_usage)%)"; \
\
# Browser-Cache bereinigen \
rm -rf "/home/$KIOSK_USER/.chromium-kiosk/Default/Cache"/* 2>/dev/null || true; \
rm -rf "/home/$KIOSK_USER/.cache"/* 2>/dev/null || true; \
\
# Temporäre Dateien bereinigen \
find "/tmp" -type f -atime +1 -delete 2>/dev/null || true; \
find "$APP_DIR/uploads/temp" -type f -mtime +1 -delete 2>/dev/null || true; \
\
# System-Cache leeren \
sync; \
echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true; \
\
log_info "Systemressourcen bereinigt - neue Speichernutzung: $(get_memory_usage)%"; \
} \
\
restart_kiosk_session() { \
log_warn "Starte Kiosk-Session neu..."; \
\
# Beende alle Kiosk-Prozesse sanft \
pkill -u "$KIOSK_USER" -TERM 2>/dev/null || true; \
sleep 5; \
\
# Erzwinge Beendigung falls nötig \
pkill -u "$KIOSK_USER" -KILL 2>/dev/null || true; \
sleep 2; \
\
# Starte Getty-Service neu für Autologin \
systemctl restart getty@tty1.service; \
sleep "$RESTART_DELAY"; \
\
log_info "Kiosk-Session neugestartet"; \
} \
\
# === HAUPTÜBERWACHUNGSSCHLEIFE === \
log_info "Kiosk-Watchdog gestartet (PID: $$)"; \
\
while true; do \
# === HTTPS BACKEND ÜBERWACHUNG === \
if ! is_service_active "$HTTPS_SERVICE"; then \
log_error "HTTPS-Service nicht aktiv"; \
restart_service "$HTTPS_SERVICE"; \
elif ! check_https_connectivity; then \
log_error "HTTPS Backend nicht erreichbar"; \
restart_service "$HTTPS_SERVICE"; \
fi; \
\
# === SSL-ZERTIFIKAT ÜBERWACHUNG === \
if ! check_ssl_certificate; then \
if [ -f "$APP_DIR/certs/localhost/localhost.crt" ]; then \
log_warn "SSL-Zertifikat läuft in $CERT_EXPIRE_DAYS Tagen ab"; \
else \
log_error "SSL-Zertifikat fehlt"; \
fi; \
regenerate_ssl_certificate; \
fi; \
\
# === KIOSK-SESSION ÜBERWACHUNG === \
if ! check_kiosk_user_session; then \
log_error "Kiosk-Benutzer-Session nicht aktiv"; \
restart_kiosk_session; \
elif ! check_x_server; then \
log_error "X-Server nicht verfügbar"; \
restart_kiosk_session; \
elif ! check_display_availability; then \
log_error "Display :0 nicht verfügbar"; \
restart_kiosk_session; \
elif ! check_chromium_process; then \
log_warn "Chromium-Kiosk-Prozess nicht gefunden"; \
if is_service_enabled "$KIOSK_SERVICE"; then \
systemctl --user start "$KIOSK_SERVICE" 2>/dev/null || true; \
else \
sudo -u "$KIOSK_USER" DISPLAY=:0 chromium --kiosk --no-sandbox --ignore-certificate-errors "$HTTPS_URL" >/dev/null 2>&1 & \
fi; \
sleep "$RESTART_DELAY"; \
fi; \
\
# === SYSTEMRESSOURCEN ÜBERWACHUNG === \
memory_usage=$(get_memory_usage); \
if (( $(echo "$memory_usage > $MAX_MEMORY_PERCENT" | bc -l 2>/dev/null || echo 0) )); then \
log_warn "Hohe Speichernutzung: ${memory_usage}%"; \
cleanup_system_resources; \
fi; \
\
# === LOG-ROTATION === \
if [ -f "$LOG_FILE" ] && [ $(stat -c%s "$LOG_FILE" 2>/dev/null || echo 0) -gt 10485760 ]; then \
tail -n 1000 "$LOG_FILE" > "${LOG_FILE}.tmp" && mv "${LOG_FILE}.tmp" "$LOG_FILE"; \
log_info "Log-Datei rotiert (>10MB)"; \
fi; \
\
# Warte bis zur nächsten Prüfung \
sleep "$CHECK_INTERVAL"; \
done'
# Umgebungsvariablen für optimierte Überwachung
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Environment=DISPLAY=:0
Environment=PYTHONPATH=/opt/myp
Environment=SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
Environment=LC_ALL=C.UTF-8
Environment=LANG=C.UTF-8
# Logging-Konfiguration
StandardOutput=append:/var/log/kiosk-watchdog.log
StandardError=append:/var/log/kiosk-watchdog.log
# Sicherheitseinstellungen
NoNewPrivileges=false
PrivateTmp=false
ProtectSystem=strict
ReadWritePaths=/var/log
ReadWritePaths=/opt/myp
ReadWritePaths=/home/kiosk
ReadWritePaths=/proc/sys/vm
ReadWritePaths=/tmp
# Resource-Limits
MemoryMax=256M
CPUQuota=25%
[Install]
WantedBy=multi-user.target

91
systemd/myp-firewall.service Normal file
View File

@@ -0,0 +1,91 @@
[Unit]
Description=MYP Firewall Configuration Service
Documentation=https://github.com/MYP-Druckerverwaltung
After=firewalld.service
Wants=firewalld.service
Requires=firewalld.service
[Service]
Type=oneshot
RemainAfterExit=yes
User=root
Group=root
# Firewall-Konfiguration für MYP Backend
ExecStart=/bin/bash -c '\
# Warte bis firewalld vollständig gestartet ist \
sleep 5; \
\
# Zone definieren (falls nicht vorhanden) \
firewall-cmd --permanent --new-zone=myp-backend 2>/dev/null || true; \
\
# Erweiterte Netzwerk-Quellen definieren (nur IPv4) \
firewall-cmd --permanent --zone=myp-backend --add-source=192.168.0.0/16; \
firewall-cmd --permanent --zone=myp-backend --add-source=127.0.0.1/32; \
\
# Lokaler Hostname "raspberrypi" hinzufügen \
LOCAL_HOSTNAME="raspberrypi"; \
LOCAL_IP=$(getent hosts "$LOCAL_HOSTNAME" | awk "{print \$1}" | grep -E "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$" | head -1 2>/dev/null || true); \
if [ -n "$LOCAL_IP" ]; then \
firewall-cmd --permanent --zone=myp-backend --add-source="$LOCAL_IP/32" 2>/dev/null || true; \
logger "MYP Firewall: Lokaler Hostname $LOCAL_HOSTNAME hinzugefügt: $LOCAL_IP"; \
else \
logger "MYP Firewall: Lokaler Hostname $LOCAL_HOSTNAME nicht auflösbar"; \
fi; \
\
# Frontend-Server m040tbaraspi001 hinzufügen (falls auflösbar) \
FRONTEND_IP=$(getent hosts "m040tbaraspi001" | awk "{print \$1}" | grep -E "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$" | head -1 2>/dev/null || true); \
if [ -n "$FRONTEND_IP" ]; then \
firewall-cmd --permanent --zone=myp-backend --add-source="$FRONTEND_IP/32" 2>/dev/null || true; \
logger "MYP Firewall: Frontend-Server m040tbaraspi001 hinzugefügt: $FRONTEND_IP"; \
else \
# Versuche auch mit FQDN \
FRONTEND_FQDN_IP=$(getent hosts "m040tbaraspi001.de040.corpintra.net" | awk "{print \$1}" | grep -E "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$" | head -1 2>/dev/null || true); \
if [ -n "$FRONTEND_FQDN_IP" ]; then \
firewall-cmd --permanent --zone=myp-backend --add-source="$FRONTEND_FQDN_IP/32" 2>/dev/null || true; \
logger "MYP Firewall: Frontend-Server m040tbaraspi001.de040.corpintra.net hinzugefügt: $FRONTEND_FQDN_IP"; \
else \
logger "MYP Firewall: Frontend-Server m040tbaraspi001 nicht auflösbar"; \
fi; \
fi; \
\
# HTTPS für API & Kiosk \
firewall-cmd --permanent --zone=myp-backend --add-port=443/tcp; \
\
# SSH für Wartung \
firewall-cmd --permanent --zone=myp-backend --add-service=ssh; \
\
# RDP für Remote-Desktop \
firewall-cmd --permanent --zone=myp-backend --add-port=3389/tcp; \
\
# IPv6 in firewalld deaktivieren \
firewall-cmd --permanent --set-target=DROP --zone=public --family=ipv6 2>/dev/null || true; \
firewall-cmd --permanent --set-target=DROP --zone=myp-backend --family=ipv6 2>/dev/null || true; \
\
# Default-Zone setzen \
firewall-cmd --set-default-zone=myp-backend; \
\
# Änderungen übernehmen \
firewall-cmd --reload; \
\
# Status loggen \
logger "MYP Firewall: Konfiguration erfolgreich angewendet (IPv6 deaktiviert, Frontend-Server m040tbaraspi001)"; \
firewall-cmd --list-all-zones | logger -t "MYP-Firewall"; \
'
# Umgebungsvariablen
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=myp-firewall
# Sicherheitseinstellungen
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=false
ProtectHome=true
[Install]
WantedBy=multi-user.target

45
systemd/myp-https.service Normal file
View File

@@ -0,0 +1,45 @@
[Unit]
Description=MYP Druckerverwaltung HTTP Backend (Port 5000)
Documentation=https://github.com/MYP-Druckerverwaltung
After=network.target network-online.target
Wants=network-online.target
Requires=network.target
[Service]
Type=simple
User=root
Group=root
WorkingDirectory=/opt/myp
# Vereinfachter Start-Befehl - startet direkt die Python-App im Produktionsmodus
ExecStart=/usr/bin/python3 /opt/myp/app.py --production
Restart=always
RestartSec=10
StartLimitBurst=5
StartLimitInterval=300
# Umgebungsvariablen für optimale Performance
Environment=PYTHONUNBUFFERED=1
Environment=FLASK_ENV=production
Environment=FLASK_HOST=0.0.0.0
Environment=FLASK_PORT=5000
Environment=PYTHONPATH=/opt/myp
Environment=LC_ALL=C.UTF-8
Environment=LANG=C.UTF-8
Environment=KIOSK_MODE=true
Environment=USE_OPTIMIZED_CONFIG=true
# Logging-Konfiguration
StandardOutput=journal
StandardError=journal
SyslogIdentifier=myp-backend
# Sicherheitseinstellungen (gelockert für bessere Kompatibilität)
NoNewPrivileges=true
PrivateTmp=false
ProtectSystem=false
ReadWritePaths=/opt/myp
ReadWritePaths=/var/log
ReadWritePaths=/tmp
[Install]
WantedBy=multi-user.target

226
systemd/myp-kiosk.service Normal file
View File

@@ -0,0 +1,226 @@
[Unit]
Description=MYP Kiosk Browser Autostart (Chromium HTTPS) - Wartungsfreier Produktionsbetrieb
Documentation=https://github.com/MYP-Druckerverwaltung
After=graphical-session.target myp-https.service network-online.target
Wants=myp-https.service network-online.target
Requires=graphical-session.target
StartLimitBurst=5
StartLimitInterval=600
[Service]
Type=simple
User=kiosk
Group=kiosk
Environment=DISPLAY=:0
Environment=XAUTHORITY=/home/kiosk/.Xauthority
Environment=HOME=/home/kiosk
Environment=XDG_RUNTIME_DIR=/run/user/1001
Environment=WAYLAND_DISPLAY=
Environment=GDK_BACKEND=x11
WorkingDirectory=/home/kiosk
# Robuste Backend-Wartung mit verbesserter Fehlererkennung
ExecStartPre=/bin/bash -c '\
echo "=== MYP Kiosk-Service startet $(date) ==="; \
\
# Prüfe ob X11 läuft \
for i in {1..30}; do \
if DISPLAY=:0 xset q >/dev/null 2>&1; then \
echo "✅ X11 Display verfügbar"; \
break; \
fi; \
echo "⏳ Warte auf X11 Display... ($i/30)"; \
sleep 2; \
done; \
\
# Warte auf HTTP-Backend mit verbesserter Erkennung \
echo "🔍 Warte auf HTTP Backend..."; \
for i in {1..120}; do \
if curl -s --connect-timeout 3 --max-time 5 http://localhost:5000/api/kiosk/status >/dev/null 2>&1; then \
echo "✅ HTTP Backend erreichbar und API verfügbar"; \
break; \
elif curl -s --connect-timeout 3 --max-time 5 http://localhost:5000 >/dev/null 2>&1; then \
echo "✅ HTTP Backend erreichbar"; \
break; \
fi; \
echo "⏳ Warte auf Backend... ($i/120)"; \
sleep 3; \
done; \
\
# Räume alte Browser-Prozesse auf \
pkill -f "chromium.*kiosk" 2>/dev/null || true; \
pkill -f "firefox.*kiosk" 2>/dev/null || true; \
sleep 2; \
'
# Robuster Kiosk-Start mit Fehlerresilienz
ExecStart=/bin/bash -c '\
set -e; \
\
# Logging-Setup \
LOG_FILE="/var/log/myp-kiosk.log"; \
exec 1> >(tee -a "$LOG_FILE"); \
exec 2>&1; \
\
echo "🚀 Starte Kiosk-Modus $(date)"; \
\
# Bildschirmauflösung robust ermitteln \
RESOLUTION=$(DISPLAY=:0 xrandr 2>/dev/null | grep -E "\*|\+" | head -1 | awk "{print \$1}" || echo "1920x1080"); \
WIDTH=$(echo $RESOLUTION | cut -d"x" -f1); \
HEIGHT=$(echo $RESOLUTION | cut -d"x" -f2); \
echo "📺 Bildschirmauflösung: ${WIDTH}x${HEIGHT}"; \
\
# Display-Konfiguration optimieren \
DISPLAY=:0 xset s off 2>/dev/null || true; \
DISPLAY=:0 xset s noblank 2>/dev/null || true; \
DISPLAY=:0 xset -dpms 2>/dev/null || true; \
DISPLAY=:0 xset r rate 250 30 2>/dev/null || true; \
echo "⚙️ Display-Energieverwaltung deaktiviert"; \
\
# Mauszeiger verstecken \
if command -v unclutter >/dev/null 2>&1; then \
DISPLAY=:0 unclutter -idle 0.5 -root -noevents & \
echo "🖱️ Mauszeiger-Versteckung aktiviert"; \
fi; \
\
# Browser-Auswahl mit Prioritäten \
BROWSER=""; \
BROWSER_ARGS=""; \
\
if command -v chromium >/dev/null 2>&1; then \
BROWSER="chromium"; \
elif command -v chromium-browser >/dev/null 2>&1; then \
BROWSER="chromium-browser"; \
elif command -v google-chrome >/dev/null 2>&1; then \
BROWSER="google-chrome"; \
elif command -v firefox-esr >/dev/null 2>&1; then \
BROWSER="firefox-esr"; \
elif command -v firefox >/dev/null 2>&1; then \
BROWSER="firefox"; \
else \
echo "❌ Kein unterstützter Browser gefunden"; \
exit 1; \
fi; \
\
echo "🌐 Verwende Browser: $BROWSER"; \
\
# Browser-spezifische Argumente \
if [[ "$BROWSER" == "chromium"* ]] || [[ "$BROWSER" == "google-chrome"* ]]; then \
BROWSER_ARGS=" \
--kiosk \
--no-sandbox \
--disable-dev-shm-usage \
--disable-gpu-sandbox \
--disable-software-rasterizer \
--disable-background-timer-throttling \
--disable-backgrounding-occluded-windows \
--disable-renderer-backgrounding \
--disable-field-trial-config \
--disable-features=TranslateUI,VizDisplayCompositor,AudioServiceOutOfProcess \
--enable-features=OverlayScrollbar,VaapiVideoDecoder \
--force-device-scale-factor=1.0 \
--window-size=${WIDTH},${HEIGHT} \
--window-position=0,0 \
--user-data-dir=/home/kiosk/.chromium-kiosk \
--disable-infobars \
--disable-session-crashed-bubble \
--disable-restore-session-state \
--disable-extensions \
--disable-plugins \
--disable-popup-blocking \
--disable-prompt-on-repost \
--disable-sync \
--disable-translate \
--noerrdialogs \
--no-first-run \
--no-default-browser-check \
--no-crash-upload \
--disable-crash-reporter \
--disable-logging \
--autoplay-policy=no-user-gesture-required \
--disable-background-mode \
--disable-pinch \
--overscroll-history-navigation=0 \
--memory-pressure-off \
--max_old_space_size=512 \
--hide-scrollbars \
--ignore-certificate-errors \
--ignore-ssl-errors \
--ignore-certificate-errors-spki-list \
--disable-web-security \
--allow-running-insecure-content \
--disable-extensions \
--disable-blink-features=AutomationControlled \
--disable-ipc-flooding-protection"; \
else \
# Firefox-Argumente \
BROWSER_ARGS=" \
--kiosk \
--width=${WIDTH} \
--height=${HEIGHT} \
--no-remote \
--new-instance"; \
fi; \
\
# URL mit Fallback \
TARGET_URL="http://localhost:5000"; \
\
# Browser starten mit Fehlerbehandlung \
echo "🖥️ Starte $BROWSER im Kiosk-Modus..."; \
echo "🔗 URL: $TARGET_URL"; \
\
# Umgebungsvariablen setzen \
export DISPLAY=:0; \
export HOME=/home/kiosk; \
export XDG_RUNTIME_DIR=/run/user/1001; \
export LIBGL_ALWAYS_SOFTWARE=1; \
export MOZ_DISABLE_RDD_SANDBOX=1; \
export MOZ_DISABLE_CONTENT_SANDBOX=1; \
\
# Browser-Start mit exec für korrekte Signal-Behandlung \
exec $BROWSER $BROWSER_ARGS "$TARGET_URL" 2>&1; \
'
# Robuste Restart-Konfiguration für wartungsfreien Betrieb
Restart=always
RestartSec=15
StartLimitBurst=5
StartLimitInterval=600
TimeoutStartSec=300
TimeoutStopSec=30
KillMode=mixed
KillSignal=SIGTERM
# Ressourcen-Management für Stabilität
LimitNOFILE=65536
LimitNPROC=4096
MemoryHigh=1G
MemoryMax=1.5G
CPUQuota=80%
# Erweiterte Service-Überwachung
WatchdogSec=60
NotifyAccess=all
# Fehlerresilienz-Features
PrivateNetwork=false
PrivateTmp=true
ProtectHome=false
ProtectSystem=strict
ReadWritePaths=/home/kiosk /var/log /tmp
NoNewPrivileges=false
# Logging-Konfiguration
StandardOutput=journal
StandardError=journal
SyslogIdentifier=myp-kiosk
LogRateLimitBurst=1000
LogRateLimitIntervalSec=30
# Service-Abhängigkeiten für robuste Startsequenz
Requisite=myp-https.service
BindsTo=graphical-session.target
[Install]
WantedBy=graphical-session.target
Also=myp-https.service