fastapi_ynh/conf/systemd.service

[Unit]
Description=__APP__ server

[Service]
#Type=simple
User=__APP__
Group=__APP__
WorkingDirectory=__DATA_DIR__/

# UVICORN_ROOT_PATH is used by FastAPI to serve the 'docs' page correctly
Environment="UVICORN_ROOT_PATH=__PATH__"

ExecStart=__INSTALL_DIR__/venv/bin/gunicorn --config __INSTALL_DIR__/gunicorn.conf.py FastAPIAppFolder:app --worker-class uvicorn.workers.UvicornWorker

Restart=on-failure
RestartSec=1s
StartLimitIntervalSec=60
StartLimitBurst=5

StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=__APP__-server

# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectClock=yes
ProtectHostname=yes
ProtectProc=invisible
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallArchitectures=native
#TODO : list all system call that could be needed by the application
#SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged

# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG

[Install]
WantedBy=multi-user.target
Initial commit 2023-11-28 13:20:48 +01:00			`[Unit]`
premier essai pour avoir une installation fonctionnant d'une app fastapi 2023-11-28 15:45:06 +01:00			`Description=__APP__ server`
Initial commit 2023-11-28 13:20:48 +01:00
			`[Service]`
premier essai pour avoir une installation fonctionnant d'une app fastapi 2023-11-28 15:45:06 +01:00			`#Type=simple`
Initial commit 2023-11-28 13:20:48 +01:00			`User=__APP__`
			`Group=__APP__`
premier essai pour avoir une installation fonctionnant d'une app fastapi 2023-11-28 15:45:06 +01:00			`WorkingDirectory=__DATA_DIR__/`

définition du root_path via uvicorn 2023-12-08 15:03:41 +01:00			`# UVICORN_ROOT_PATH is used by FastAPI to serve the 'docs' page correctly`
			`Environment="UVICORN_ROOT_PATH=__PATH__"`

application file into install_dir folder, user's custom code into data_dir 2023-12-01 16:50:49 +01:00			`ExecStart=__INSTALL_DIR__/venv/bin/gunicorn --config __INSTALL_DIR__/gunicorn.conf.py FastAPIAppFolder:app --worker-class uvicorn.workers.UvicornWorker`
premier essai pour avoir une installation fonctionnant d'une app fastapi 2023-11-28 15:45:06 +01:00
fix nginx header to enable CORS + adding auto-restart in case on failure, such as Out Of Memory 2024-04-08 14:38:15 +02:00			`Restart=on-failure`
			`RestartSec=1s`
			`StartLimitIntervalSec=60`
			`StartLimitBurst=5`

premier essai pour avoir une installation fonctionnant d'une app fastapi 2023-11-28 15:45:06 +01:00			`StandardOutput=syslog`
			`StandardError=syslog`
			`SyslogIdentifier=__APP__-server`
Initial commit 2023-11-28 13:20:48 +01:00
			`# Sandboxing options to harden security`
			`# Depending on specificities of your service/app, you may need to tweak these`
			`# .. but this should be a good baseline`
			`# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html`
			`NoNewPrivileges=yes`
			`PrivateTmp=yes`
			`PrivateDevices=yes`
			`RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK`
			`RestrictNamespaces=yes`
			`RestrictRealtime=yes`
			`DevicePolicy=closed`
			`ProtectClock=yes`
			`ProtectHostname=yes`
			`ProtectProc=invisible`
			`ProtectSystem=full`
			`ProtectControlGroups=yes`
			`ProtectKernelModules=yes`
			`ProtectKernelTunables=yes`
			`LockPersonality=yes`
			`SystemCallArchitectures=native`
fix des droits du service et de l'installation des dépendance python 2023-12-01 10:19:35 +01:00			`#TODO : list all system call that could be needed by the application`
			`#SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged`
Initial commit 2023-11-28 13:20:48 +01:00
			`# Denying access to capabilities that should not be relevant for webapps`
			`# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html`
			`CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD`
			`CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE`
			`CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT`
			`CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK`
			`CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM`
			`CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG`
			`CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE`
			`CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW`
			`CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG`

			`[Install]`
			`WantedBy=multi-user.target`