diff --git a/conf/bookwyrm-beat.service b/conf/bookwyrm-beat.service deleted file mode 100644 index 71e574f..0000000 --- a/conf/bookwyrm-beat.service +++ /dev/null @@ -1,45 +0,0 @@ - -[Unit] -Description=__APP__ celery beat process -After=redis.service postgresql.service -PartOf=__APP__.target - -[Service] -User=__APP__ -Group=__APP__ -WorkingDirectory=__INSTALL_DIR__/ -EnvironmentFile=__INSTALL_DIR__/.env -ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler - -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectClock=yes -ProtectHostname=yes -ProtectProc=invisible -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallArchitectures=native -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged - -# Denying access to capabilities that should not be relevant for webapps -# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG - -[Install] -WantedBy=multi-user.target diff --git a/conf/bookwyrm-server.service b/conf/bookwyrm-server.service deleted file mode 100644 index 568143c..0000000 --- a/conf/bookwyrm-server.service +++ /dev/null @@ -1,15 +0,0 @@ - -[Unit] -Description=__APP__ application server -After=redis.service postgresql.service -PartOf=__APP__.target - -[Service] -User=__APP__ -Group=__APP__ -WorkingDirectory=__INSTALL_DIR__/ -EnvironmentFile=__INSTALL_DIR__/.env -ExecStart=__INSTALL_DIR__/venv/bin/gunicorn bookwyrm.wsgi:application --bind 127.0.0.1:__PORT__ - -[Install] -WantedBy=multi-user.target diff --git a/conf/bookwyrm.target b/conf/bookwyrm.target deleted file mode 100644 index ae63b04..0000000 --- a/conf/bookwyrm.target +++ /dev/null @@ -1,3 +0,0 @@ -[Unit] -Description=Bookwyrm Services (__APP__) -Wants=__APP__-server.service __APP__-worker.service __APP__-beat.service \ No newline at end of file diff --git a/conf/fittrackee.service b/conf/fittrackee.service new file mode 100644 index 0000000..2db351c --- /dev/null +++ b/conf/fittrackee.service @@ -0,0 +1,36 @@ + +[Unit] +Description=__APP__ service +After=network.target +After=postgresql.service +After=redis.service +StartLimitIntervalSec=0 + +[Service] +Type=simple +Restart=always +RestartSec=1 +User=__APP__ +Group=__APP__ +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=__APP__ +Environment="APP_SECRET_KEY=" +Environment="APP_LOG=" +Environment="UPLOAD_FOLDER=" +Environment="DATABASE_URL=" +Environment="UI_URL=" +Environment="EMAIL_URL=" +Environment="SENDER_EMAIL=" +Environment="REDIS_URL=" +Environment="TILE_SERVER_URL=" +Environment="STATICMAP_SUBDOMAINS=" +Environment="MAP_ATTRIBUTION=" +Environment="WEATHER_API_KEY=" +WorkingDirectory=__INSTALL_DIR__/ +EnvironmentFile=__INSTALL_DIR__/.env +ExecStart=__INSTALL_DIR__/.venv/bin/gunicorn -b 127.0.0.1:__PORT__ "fittrackee:create_app()" --error-logfile __INSTALL_DIR__/gunicorn.log +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/conf/bookwyrm-worker.service b/conf/fittrackee_workers.service similarity index 71% rename from conf/bookwyrm-worker.service rename to conf/fittrackee_workers.service index 739c43d..0bd3be1 100644 --- a/conf/bookwyrm-worker.service +++ b/conf/fittrackee_workers.service @@ -1,15 +1,34 @@ [Unit] -Description=__APP__ celery worker -After=redis.service postgresql.service -PartOf=__APP__.target +Description=__APP__ task queue service +After=network.target +After=postgresql.service +After=redis.service +StartLimitIntervalSec=0 [Service] +Type=simple +Restart=always +RestartSec=1 User=__APP__ Group=__APP__ +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=__APP___workers +Environment="FLASK_APP=__APP__" +Environment="APP_SECRET_KEY=" +Environment="APP_LOG=" +Environment="UPLOAD_FOLDER=" +Environment="DATABASE_URL=" +Environment="UI_URL=" +Environment="EMAIL_URL=" +Environment="SENDER_EMAIL=" +Environment="REDIS_URL=" WorkingDirectory=__INSTALL_DIR__/ EnvironmentFile=__INSTALL_DIR__/.env ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority +ExecStart=__INSTALL_DIR__/.venv/bin/flask worker --processes 4 +Restart=always NoNewPrivileges=yes PrivateTmp=yes diff --git a/conf/nginx.conf b/conf/nginx.conf index 4f85de8..404620a 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -4,7 +4,10 @@ location __PATH__/ { proxy_pass http://127.0.0.1:__PORT__/; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; - proxy_redirect off; + proxy_redirect default; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Forwarded-Proto $scheme; } location /images/ {