Skip to content

feat: systemd support #4880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Soulter merged 1 commit into from
Feb 5, 2026
Merged

feat: systemd support #4880

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions scripts/astrbot.service
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
[Unit]
Description=AstrBot Service
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
WorkingDirectory=%h/.local/share/astrbot
Comment thread
LIghtJUNction marked this conversation as resolved.
ExecStart=/usr/bin/sh -c '/usr/bin/astrbot run || { /usr/bin/astrbot init && /usr/bin/astrbot run; }'
Comment thread
LIghtJUNction marked this conversation as resolved.
Comment thread
LIghtJUNction marked this conversation as resolved.
Restart=on-failure
RestartSec=5
Environment=PYTHONUNBUFFERED=1
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For a production service that serves thousands of users (as mentioned in the PR template), consider adding security hardening options to the systemd service. Common hardening options for Python applications include:

  • PrivateTmp=yes - Use private /tmp directory
  • NoNewPrivileges=yes - Prevent privilege escalation
  • ProtectSystem=strict - Make file system read-only except for WritableDirectories
  • ProtectHome=read-only - Limit home directory access
  • RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 - Limit network protocols

While optional, these would improve security especially since AstrBot opens network ports for the web dashboard and various messaging platforms.

Suggested change
Environment=PYTHONUNBUFFERED=1
Environment=PYTHONUNBUFFERED=1
PrivateTmp=yes
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=%h/.local/share/astrbot
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

Copilot uses AI. Check for mistakes.

[Install]
WantedBy=default.target
Comment on lines +14 to +15
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The service uses WantedBy=default.target which is appropriate for user services, but combined with the /usr/bin/astrbot path (which suggests system-wide installation), this creates confusion about whether this is a system service or user service.

For a user service (installed in ~/.config/systemd/user/), default.target is correct. However, for a system service (installed in /etc/systemd/system/ or /usr/lib/systemd/system/), it should use WantedBy=multi-user.target instead.

The current configuration appears to be intended as a user service (given the %h in WorkingDirectory), but this should be clarified. Consider:

  1. Adding a comment at the top of the file indicating this is a user service
  2. Updating the ExecStart path to use user-local paths (e.g., %h/.local/bin/astrbot)
  3. Or, if this should be a system service, change to multi-user.target and use absolute paths without %h

Copilot uses AI. Check for mistakes.
Comment on lines +1 to +15
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR adds a systemd service file but provides no documentation on how to install or use it. Users will not know:

  • Where to copy this file (~/.config/systemd/user/ vs /etc/systemd/system/)
  • Whether they need to install astrbot system-wide first
  • What directory structure is expected
  • How to customize the paths for their installation
  • Whether to run systemctl --user or just systemctl

Consider adding:

  1. A README or installation guide in the scripts directory
  2. Installation instructions in the main README.md
  3. Comments in the service file itself explaining the setup steps

Copilot uses AI. Check for mistakes.
Comment on lines +1 to +15
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description has all checklist items unchecked, which according to the template means:

  • The feature may not have been discussed with authors
  • No testing evidence or verification steps provided
  • Dependencies not verified
  • Potential security concerns not confirmed

Given that this change introduces a new deployment method that could be used by thousands of users (as mentioned in the checklist), it's important to complete the checklist items, particularly:

  1. Provide verification steps showing this service file works correctly
  2. Add screenshots or test logs demonstrating successful service startup
  3. Confirm no malicious code was introduced

The PR template explicitly states "If merged, your code will serve tens of thousands of users! Please double-check the following items before submitting."

Copilot uses AI. Check for mistakes.