After we have deployed the new release, we restart the app to make it live:
sudo /bin/systemctl restart foo
The user account needs sufficient permissions to restart the app, though.
Instead of giving the deploy account full sudo permissions, you can make a
user-specific sudo config file which specifies what commands it can run,
deploy ALL=(ALL) NOPASSWD: /bin/systemctl start foo, /bin/systemctl stop foo, /bin/systemctl restart foo
That works ok, but it would be better if we didn't require sudo permissions at all. One option is to take advantage of the supervision provided by systemd to restart the app.
When we deploy a new release, the deploy user uploads the new code, sets up the symlink, then tells the app to shutdown by touching a flag file on the disk or pinging a special URL. The app does a clean shutdown, systemd notices and starts it with the new code.
The shutdown_flag library handles this for flag files.