1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/funkwhale_ynh.git synced 2024-09-03 18:36:24 +02:00

Add more security to systemd files

Add more security to systemd files
This commit is contained in:
Jean-Baptiste 2018-10-24 23:30:33 +02:00 committed by GitHub
commit d0a5e6c75e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 47 additions and 5 deletions

View file

@ -5,10 +5,24 @@ PartOf=__APP__.target
[Service] [Service]
User=__APP__ User=__APP__
# adapt this depending on the path of your funkwhale installation Group=__APP__
WorkingDirectory=__FINALPATH__/code/api WorkingDirectory=__FINALPATH__/code/api
EnvironmentFile=__FINALPATH__/code/config/.env EnvironmentFile=__FINALPATH__/code/config/.env
ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp beat -l INFO ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp beat -l INFO
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ProtectControlGroups=yes
ProtectKernelModules=yes
ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/
ReadWritePaths=__FINALPATH__/media __FINALPATH__/import __FINALPATH__/code/api
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=__APP__-beat
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View file

@ -5,10 +5,24 @@ PartOf=__APP__.target
[Service] [Service]
User=__APP__ User=__APP__
# adapt this depending on the path of your funkwhale installation Group=__APP__
WorkingDirectory=__FINALPATH__/code/api WorkingDirectory=__FINALPATH__/code/api
EnvironmentFile=__FINALPATH__/code/config/.env EnvironmentFile=__FINALPATH__/code/config/.env
ExecStart=__FINALPATH__/code/virtualenv/bin/daphne -b ${FUNKWHALE_API_IP} -p ${FUNKWHALE_API_PORT} config.asgi:application --proxy-headers ExecStart=__FINALPATH__/code/virtualenv/bin/daphne -b ${FUNKWHALE_API_IP} -p ${FUNKWHALE_API_PORT} config.asgi:application --proxy-headers
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ProtectControlGroups=yes
ProtectKernelModules=yes
ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/
ReadWritePaths=__FINALPATH__/media __FINALPATH__/import
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=__APP__-server
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View file

@ -5,10 +5,24 @@ PartOf=__APP__.target
[Service] [Service]
User=__APP__ User=__APP__
# adapt this depending on the path of your funkwhale installation Group=__APP__
WorkingDirectory=__FINALPATH__/code/api WorkingDirectory=__FINALPATH__/code/api
EnvironmentFile=__FINALPATH__/code/config/.env EnvironmentFile=__FINALPATH__/code/config/.env
ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ProtectControlGroups=yes
ProtectKernelModules=yes
ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/
ReadWritePaths=__FINALPATH__/media __FINALPATH__/import
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=__APP__-worker
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target