feat: add systemd services and nginx config

- signal-cli-bot.service: runs signal-cli daemon on 127.0.0.1:8081 - github-to-signal.service: depends on signal-cli-bot, auto-starts it - nginx reverse proxy with TLS termination - README updated with full deployment instructions
2026-04-02 03:09:09 -07:00 · 2026-03-10 23:35:16 +00:00
parent 9c233dea0b
commit d3cca2bb02
4 changed files with 106 additions and 0 deletions
--- a/deploy/github-to-signal.nginx.conf
+++ b/deploy/github-to-signal.nginx.conf
@@ -0,0 +1,28 @@
+server {
+    listen 443 ssl;
+    server_name ghwebhook.example.com;
+
+    ssl_certificate     /etc/letsencrypt/live/ghwebhook.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/ghwebhook.example.com/privkey.pem;
+
+    location /webhook {
+        proxy_pass http://127.0.0.1:9900;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # GitHub webhooks are small and fast
+        proxy_read_timeout 30s;
+        client_max_body_size 1m;
+    }
+
+    location /health {
+        proxy_pass http://127.0.0.1:9900;
+    }
+
+    # Block everything else
+    location / {
+        return 404;
+    }
+}
--- a/deploy/github-to-signal.service
+++ b/deploy/github-to-signal.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=GitHub webhook to Signal notifications
+After=signal-cli-bot.service
+Requires=signal-cli-bot.service
+
+[Service]
+Type=exec
+ExecStart=/usr/local/bin/github-to-signal
+WorkingDirectory=/etc/github-to-signal
+Restart=on-failure
+RestartSec=5
+
+# Hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+
+User=signal-bot
+Group=signal-bot
+
+[Install]
+WantedBy=multi-user.target
--- a/deploy/signal-cli-bot.service
+++ b/deploy/signal-cli-bot.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=signal-cli daemon for github-to-signal bot
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=exec
+ExecStart=/usr/local/bin/signal-cli -a +1YOURNUMBER daemon --http 127.0.0.1:8081 --no-receive-stdout
+Restart=on-failure
+RestartSec=5
+
+# Hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=read-only
+PrivateTmp=true
+ReadWritePaths=/home/signal-bot/.local/share/signal-cli
+
+User=signal-bot
+Group=signal-bot
+
+[Install]
+WantedBy=multi-user.target