From 38320508c7c3a904018f0ca9f088f665b87ca453 Mon Sep 17 00:00:00 2001
From: Thomas <51749973+Thovi98@users.noreply.github.com>
Date: Mon, 6 Nov 2023 20:57:58 +0100
Subject: [PATCH] fix services

---
 conf/bookwyrm-beat.service   | 38 +++++++++++++++++++++++-------------
 conf/bookwyrm-server.service | 30 +++++++++++++++++++++++++++-
 conf/bookwyrm-worker.service | 36 ++++++++++++++++++++++------------
 3 files changed, 76 insertions(+), 28 deletions(-)

diff --git a/conf/bookwyrm-beat.service b/conf/bookwyrm-beat.service
index 71e574f..0094854 100644
--- a/conf/bookwyrm-beat.service
+++ b/conf/bookwyrm-beat.service
@@ -1,7 +1,7 @@
 
 [Unit]
 Description=__APP__ celery beat process
-After=redis.service postgresql.service
+After=network.target postgresql.service redis.service
 PartOf=__APP__.target
 
 [Service]
@@ -11,21 +11,31 @@ WorkingDirectory=__INSTALL_DIR__/
 EnvironmentFile=__INSTALL_DIR__/.env
 ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler
 
-NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=tmpfs
+InaccessiblePaths=-/media -/mnt -/srv
 PrivateTmp=yes
-PrivateDevices=yes
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-RestrictNamespaces=yes
-RestrictRealtime=yes
-DevicePolicy=closed
-ProtectClock=yes
-ProtectHostname=yes
-ProtectProc=invisible
-ProtectSystem=full
-ProtectControlGroups=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
+TemporaryFileSystem=/var /run
+PrivateUsers=true
+PrivateDevices=true
+BindReadOnlyPaths=__INSTALL_DIR__
+BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
 LockPersonality=yes
+MemoryDenyWriteExecute=true
+PrivateMounts=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=net
+
+NoNewPrivileges=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+DevicePolicy=closed
+ProtectProc=invisible
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
 
diff --git a/conf/bookwyrm-server.service b/conf/bookwyrm-server.service
index 568143c..b03664b 100644
--- a/conf/bookwyrm-server.service
+++ b/conf/bookwyrm-server.service
@@ -1,7 +1,7 @@
 
 [Unit]
 Description=__APP__ application server
-After=redis.service postgresql.service
+After=network.target postgresql.service redis.service
 PartOf=__APP__.target
 
 [Service]
@@ -11,5 +11,33 @@ WorkingDirectory=__INSTALL_DIR__/
 EnvironmentFile=__INSTALL_DIR__/.env
 ExecStart=__INSTALL_DIR__/venv/bin/gunicorn bookwyrm.wsgi:application --bind 127.0.0.1:__PORT__
 
+ProtectSystem=strict
+ProtectHome=tmpfs
+InaccessiblePaths=-/media -/mnt -/srv
+PrivateTmp=yes
+TemporaryFileSystem=/var /run
+PrivateUsers=true
+PrivateDevices=true
+BindReadOnlyPaths=__INSTALL_DIR__
+BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
+LockPersonality=yes
+MemoryDenyWriteExecute=true
+PrivateMounts=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=net
+
+NoNewPrivileges=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+DevicePolicy=closed
+ProtectProc=invisible
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
 [Install]
 WantedBy=multi-user.target
diff --git a/conf/bookwyrm-worker.service b/conf/bookwyrm-worker.service
index 410d418..07945fa 100644
--- a/conf/bookwyrm-worker.service
+++ b/conf/bookwyrm-worker.service
@@ -1,7 +1,7 @@
 
 [Unit]
 Description=__APP__ celery worker
-After=redis.service postgresql.service
+After=network.target postgresql.service redis.service
 PartOf=__APP__.target
 
 [Service]
@@ -9,23 +9,33 @@ User=__APP__
 Group=__APP__
 WorkingDirectory=__INSTALL_DIR__/
 EnvironmentFile=__INSTALL_DIR__/.env
-ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,imports
+ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,streams,images,suggested_users,email,connectors,lists,inbox,imports,import_triggered,broadcast,misc
+
+ProtectSystem=strict
+ProtectHome=tmpfs
+InaccessiblePaths=-/media -/mnt -/srv
+PrivateTmp=yes
+TemporaryFileSystem=/var /run
+PrivateUsers=true
+PrivateDevices=true
+BindReadOnlyPaths=__INSTALL_DIR__
+BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
+LockPersonality=yes
+MemoryDenyWriteExecute=true
+PrivateMounts=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=net
 
 NoNewPrivileges=yes
-PrivateTmp=yes
-PrivateDevices=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-RestrictNamespaces=yes
-RestrictRealtime=yes
 DevicePolicy=closed
-ProtectClock=yes
-ProtectHostname=yes
 ProtectProc=invisible
-ProtectSystem=full
-ProtectControlGroups=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-LockPersonality=yes
 SystemCallArchitectures=native
 SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged