guardctrl.md

@@ -19,6 +19,19 @@ We use `uid=1010` to not collide with any of the other standard system users, an
 
 NOTE: For a site setup where guardctrl will be accessed through a ~passwordless-SSH-interface, the guardian user should not have a password.  Otherwise the guardian user can have a password as usual.
 
+### systemd and journald config
+
+The guardian systemd --user setup needs to be configured to be "persistent" so that it won't be shut down if the guardian user is not logged in.  This is handled with loginctl:
+```shell
+# loginctl enable-linger guardian
+```
+
+The system journald needs to be configured to store all logs indefinitely.  This is done by setting `Storage=persistent` in `/etc/systemd/journald.conf`:
+```
+[Journal]
+Storage=persistent
+```
+
 ### guardctrl setup
 
 The `guardctrl` interface knows that it's running as the correct user by the presence of a `~/.guardctrl-home` file.  Touch this file in the `guardian` user home directory:
@@ -58,5 +71,17 @@ Occasionally it might be necessary to access the guardian user directly.  If pas
 ```shell
 root@h1guardian1:~# machinectl shell guardian@ /bin/bash
 guardian@h1guardian1:~$ systemctl --user status
-...
+* h1guardian1
+    State: running
+     Jobs: 0 queued
+   Failed: 0 units
+    Since: Tue 2018-02-27 15:44:08 PST; 11s ago
+   CGroup: /user.slice/user-1010.slice/user@1010.service
+           `-init.scope
+             |-11818 /lib/systemd/systemd --user
+             `-11820 (sd-pam)
+guardian@h1guardian1:~$ exit
+logout
+Connection to the local host terminated.
+root@h1guardian1:~#
 ```
\ No newline at end of file