mirror of
https://github.com/YunoHost-Apps/bookwyrm_ynh.git
synced 2024-09-03 18:16:12 +02:00
fix services
This commit is contained in:
Thomas
GitHub
parent
a6d98fd63a
commit
38320508c7
3 changed files with 76 additions and 28 deletions
|
|
@ -1,7 +1,7 @@
|
|||
|
||||
[Unit]
|
||||
Description=__APP__ celery beat process
|
||||
After=redis.service postgresql.service
|
||||
After=network.target postgresql.service redis.service
|
||||
PartOf=__APP__.target
|
||||
|
||||
[Service]
|
||||
|
|
@ -11,21 +11,31 @@ WorkingDirectory=__INSTALL_DIR__/
|
|||
EnvironmentFile=__INSTALL_DIR__/.env
|
||||
ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler
|
||||
|
||||
NoNewPrivileges=yes
|
||||
ProtectSystem=strict
|
||||
ProtectHome=tmpfs
|
||||
InaccessiblePaths=-/media -/mnt -/srv
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
DevicePolicy=closed
|
||||
ProtectClock=yes
|
||||
ProtectHostname=yes
|
||||
ProtectProc=invisible
|
||||
ProtectSystem=full
|
||||
ProtectControlGroups=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
TemporaryFileSystem=/var /run
|
||||
PrivateUsers=true
|
||||
PrivateDevices=true
|
||||
BindReadOnlyPaths=__INSTALL_DIR__
|
||||
BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=true
|
||||
PrivateMounts=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
RestrictNamespaces=net
|
||||
|
||||
NoNewPrivileges=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
DevicePolicy=closed
|
||||
ProtectProc=invisible
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
|
||||
[Unit]
|
||||
Description=__APP__ application server
|
||||
After=redis.service postgresql.service
|
||||
After=network.target postgresql.service redis.service
|
||||
PartOf=__APP__.target
|
||||
|
||||
[Service]
|
||||
|
|
@ -11,5 +11,33 @@ WorkingDirectory=__INSTALL_DIR__/
|
|||
EnvironmentFile=__INSTALL_DIR__/.env
|
||||
ExecStart=__INSTALL_DIR__/venv/bin/gunicorn bookwyrm.wsgi:application --bind 127.0.0.1:__PORT__
|
||||
|
||||
ProtectSystem=strict
|
||||
ProtectHome=tmpfs
|
||||
InaccessiblePaths=-/media -/mnt -/srv
|
||||
PrivateTmp=yes
|
||||
TemporaryFileSystem=/var /run
|
||||
PrivateUsers=true
|
||||
PrivateDevices=true
|
||||
BindReadOnlyPaths=__INSTALL_DIR__
|
||||
BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=true
|
||||
PrivateMounts=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
RestrictNamespaces=net
|
||||
|
||||
NoNewPrivileges=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
DevicePolicy=closed
|
||||
ProtectProc=invisible
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
|
||||
[Unit]
|
||||
Description=__APP__ celery worker
|
||||
After=redis.service postgresql.service
|
||||
After=network.target postgresql.service redis.service
|
||||
PartOf=__APP__.target
|
||||
|
||||
[Service]
|
||||
|
|
@ -9,23 +9,33 @@ User=__APP__
|
|||
Group=__APP__
|
||||
WorkingDirectory=__INSTALL_DIR__/
|
||||
EnvironmentFile=__INSTALL_DIR__/.env
|
||||
ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,imports
|
||||
ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,streams,images,suggested_users,email,connectors,lists,inbox,imports,import_triggered,broadcast,misc
|
||||
|
||||
ProtectSystem=strict
|
||||
ProtectHome=tmpfs
|
||||
InaccessiblePaths=-/media -/mnt -/srv
|
||||
PrivateTmp=yes
|
||||
TemporaryFileSystem=/var /run
|
||||
PrivateUsers=true
|
||||
PrivateDevices=true
|
||||
BindReadOnlyPaths=__INSTALL_DIR__
|
||||
BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=true
|
||||
PrivateMounts=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
RestrictNamespaces=net
|
||||
|
||||
NoNewPrivileges=yes
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
DevicePolicy=closed
|
||||
ProtectClock=yes
|
||||
ProtectHostname=yes
|
||||
ProtectProc=invisible
|
||||
ProtectSystem=full
|
||||
ProtectControlGroups=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
LockPersonality=yes
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue