YunoHost-Apps/funkwhale_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/funkwhale_ynh.git synced 2024-09-03 18:36:24 +02:00
Code Issues Activity Actions 1

Add more security to systemd files

Browse source 
Add more security to systemd files
This commit is contained in:
Jean-Baptiste 2018-10-24 23:30:33 +02:00 committed by GitHub
commit d0a5e6c75e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 47 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
conf/funkwhale-beat.service
View file

@ -5,10 +5,24 @@ PartOf=__APP__.target
[Service]
User=__APP__
# adapt this depending on the path of your funkwhale installation
Group=__APP__
WorkingDirectory=__FINALPATH__/code/api
EnvironmentFile=__FINALPATH__/code/config/.env
ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp beat -l INFO
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ProtectControlGroups=yes
ProtectKernelModules=yes
ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/
ReadWritePaths=__FINALPATH__/media __FINALPATH__/import __FINALPATH__/code/api
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=__APP__-beat
[Install]
WantedBy=multi-user.target

16
conf/funkwhale-server.service
View file

@ -5,10 +5,24 @@ PartOf=__APP__.target
[Service]
User=__APP__
# adapt this depending on the path of your funkwhale installation
Group=__APP__
WorkingDirectory=__FINALPATH__/code/api
EnvironmentFile=__FINALPATH__/code/config/.env
ExecStart=__FINALPATH__/code/virtualenv/bin/daphne -b ${FUNKWHALE_API_IP} -p ${FUNKWHALE_API_PORT} config.asgi:application --proxy-headers
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ProtectControlGroups=yes
ProtectKernelModules=yes
ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/
ReadWritePaths=__FINALPATH__/media __FINALPATH__/import
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=__APP__-server
[Install]
WantedBy=multi-user.target

16
conf/funkwhale-worker.service
View file

@ -5,10 +5,24 @@ PartOf=__APP__.target
[Service]
User=__APP__
# adapt this depending on the path of your funkwhale installation
Group=__APP__
WorkingDirectory=__FINALPATH__/code/api
EnvironmentFile=__FINALPATH__/code/config/.env
ExecStart=__FINALPATH__/code/virtualenv/bin/celery -A funkwhale_api.taskapp worker -l INFO
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ProtectControlGroups=yes
ProtectKernelModules=yes
ReadOnlyPaths=__FINALPATH__/code/config/.env __FINALPATH__/code/
ReadWritePaths=__FINALPATH__/media __FINALPATH__/import
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=__APP__-worker
[Install]
WantedBy=multi-user.target