diff --git a/check_process b/check_process index f41c4c9..ac4363b 100644 --- a/check_process +++ b/check_process @@ -1,30 +1,20 @@ -# See here for more information -# https://github.com/YunoHost/package_check#syntax-check_process-file - -# Move this file from check_process.default to check_process when you have filled it. - ;; Test complet ; Manifest domain="domain.tld" - path="/path" is_public=1 - language="fr" - admin="john" - password="1Strong-Password" port="666" ; Checks pkg_linter=1 - setup_sub_dir=1 + setup_sub_dir=0 setup_root=1 setup_nourl=0 setup_private=1 setup_public=1 upgrade=1 - upgrade=1 from_commit=CommitHash backup_restore=1 multi_instance=1 port_already_use=0 - change_url=1 + change_url=0 ;;; Options Email= Notification=none diff --git a/conf/systemd.service b/conf/systemd.service index 92202ee..1613e78 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,5 +1,5 @@ [Unit] -Description=gunicorn daemon for recipes +Description=Tandoor, smart recipe mangement After=network.target [Service] @@ -7,10 +7,42 @@ Type=simple Restart=always RestartSec=3 User=__APP__ -Group=www-data +Group=__APP__ WorkingDirectory=__FINALPATH__ EnvironmentFile=__FINALPATH__/.env -ExecStart=__FINALPATH__/venv/bin/gunicorn --error-logfile /tmp/gunicorn_err.log --log-level debug --capture-output --bind 127.0.0.1:__PORT__ recipes.wsgi:application +ExecStart=__FINALPATH__/venv/bin/gunicorn --error-logfile /var/log/__APP__/__APP__.log --bind 127.0.0.1:__PORT__ recipes.wsgi:application +Restart=on-failure +RestartSec=10 + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] WantedBy=multi-user.target \ No newline at end of file