YunoHost-Apps/bookwyrm_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/bookwyrm_ynh.git synced 2024-09-03 18:16:12 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix services

Browse source
This commit is contained in:
Thomas 2023-11-06 20:57:58 +01:00 committed by GitHub
parent a6d98fd63a
commit 38320508c7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 76 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
conf/bookwyrm-beat.service
View file

@ -1,7 +1,7 @@
[Unit] [Unit]
Description=__APP__ celery beat process Description=__APP__ celery beat process
After=redis.service postgresql.service After=network.target postgresql.service redis.service
PartOf=__APP__.target PartOf=__APP__.target
[Service] [Service]
@ -11,21 +11,31 @@ WorkingDirectory=__INSTALL_DIR__/
EnvironmentFile=__INSTALL_DIR__/.env EnvironmentFile=__INSTALL_DIR__/.env
ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler
NoNewPrivileges=yes ProtectSystem=strict
ProtectHome=tmpfs
InaccessiblePaths=-/media -/mnt -/srv
PrivateTmp=yes PrivateTmp=yes
PrivateDevices=yes TemporaryFileSystem=/var /run
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK PrivateUsers=true
RestrictNamespaces=yes PrivateDevices=true
RestrictRealtime=yes BindReadOnlyPaths=__INSTALL_DIR__
DevicePolicy=closed BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
ProtectClock=yes
ProtectHostname=yes
ProtectProc=invisible
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes LockPersonality=yes
MemoryDenyWriteExecute=true
PrivateMounts=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=net
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
DevicePolicy=closed
ProtectProc=invisible
SystemCallArchitectures=native SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged

30
conf/bookwyrm-server.service
View file

@ -1,7 +1,7 @@
[Unit] [Unit]
Description=__APP__ application server Description=__APP__ application server
After=redis.service postgresql.service After=network.target postgresql.service redis.service
PartOf=__APP__.target PartOf=__APP__.target
[Service] [Service]
@ -11,5 +11,33 @@ WorkingDirectory=__INSTALL_DIR__/
EnvironmentFile=__INSTALL_DIR__/.env EnvironmentFile=__INSTALL_DIR__/.env
ExecStart=__INSTALL_DIR__/venv/bin/gunicorn bookwyrm.wsgi:application --bind 127.0.0.1:__PORT__ ExecStart=__INSTALL_DIR__/venv/bin/gunicorn bookwyrm.wsgi:application --bind 127.0.0.1:__PORT__
ProtectSystem=strict
ProtectHome=tmpfs
InaccessiblePaths=-/media -/mnt -/srv
PrivateTmp=yes
TemporaryFileSystem=/var /run
PrivateUsers=true
PrivateDevices=true
BindReadOnlyPaths=__INSTALL_DIR__
BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
LockPersonality=yes
MemoryDenyWriteExecute=true
PrivateMounts=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=net
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
DevicePolicy=closed
ProtectProc=invisible
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

36
conf/bookwyrm-worker.service
View file

@ -1,7 +1,7 @@
[Unit] [Unit]
Description=__APP__ celery worker Description=__APP__ celery worker
After=redis.service postgresql.service After=network.target postgresql.service redis.service
PartOf=__APP__.target PartOf=__APP__.target
[Service] [Service]
@ -9,23 +9,33 @@ User=__APP__
Group=__APP__ Group=__APP__
WorkingDirectory=__INSTALL_DIR__/ WorkingDirectory=__INSTALL_DIR__/
EnvironmentFile=__INSTALL_DIR__/.env EnvironmentFile=__INSTALL_DIR__/.env
ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,imports ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,streams,images,suggested_users,email,connectors,lists,inbox,imports,import_triggered,broadcast,misc
ProtectSystem=strict
ProtectHome=tmpfs
InaccessiblePaths=-/media -/mnt -/srv
PrivateTmp=yes
TemporaryFileSystem=/var /run
PrivateUsers=true
PrivateDevices=true
BindReadOnlyPaths=__INSTALL_DIR__
BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
LockPersonality=yes
MemoryDenyWriteExecute=true
PrivateMounts=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=net
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed DevicePolicy=closed
ProtectClock=yes
ProtectHostname=yes
ProtectProc=invisible ProtectProc=invisible
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallArchitectures=native SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged