mirror of
https://github.com/YunoHost-Apps/tandoor_ynh.git
synced 2024-09-03 20:35:56 +02:00
fix
This commit is contained in:
navanchauhan
parent
73f7ad9b0f
commit
b62d8c33b5
2 changed files with 37 additions and 15 deletions
|
|
@ -1,30 +1,20 @@
|
|||
# See here for more information
|
||||
# https://github.com/YunoHost/package_check#syntax-check_process-file
|
||||
|
||||
# Move this file from check_process.default to check_process when you have filled it.
|
||||
|
||||
;; Test complet
|
||||
; Manifest
|
||||
domain="domain.tld"
|
||||
path="/path"
|
||||
is_public=1
|
||||
language="fr"
|
||||
admin="john"
|
||||
password="1Strong-Password"
|
||||
port="666"
|
||||
; Checks
|
||||
pkg_linter=1
|
||||
setup_sub_dir=1
|
||||
setup_sub_dir=0
|
||||
setup_root=1
|
||||
setup_nourl=0
|
||||
setup_private=1
|
||||
setup_public=1
|
||||
upgrade=1
|
||||
upgrade=1 from_commit=CommitHash
|
||||
backup_restore=1
|
||||
multi_instance=1
|
||||
port_already_use=0
|
||||
change_url=1
|
||||
change_url=0
|
||||
;;; Options
|
||||
Email=
|
||||
Notification=none
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
[Unit]
|
||||
Description=gunicorn daemon for recipes
|
||||
Description=Tandoor, smart recipe mangement
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
|
|
@ -7,10 +7,42 @@ Type=simple
|
|||
Restart=always
|
||||
RestartSec=3
|
||||
User=__APP__
|
||||
Group=www-data
|
||||
Group=__APP__
|
||||
WorkingDirectory=__FINALPATH__
|
||||
EnvironmentFile=__FINALPATH__/.env
|
||||
ExecStart=__FINALPATH__/venv/bin/gunicorn --error-logfile /tmp/gunicorn_err.log --log-level debug --capture-output --bind 127.0.0.1:__PORT__ recipes.wsgi:application
|
||||
ExecStart=__FINALPATH__/venv/bin/gunicorn --error-logfile /var/log/__APP__/__APP__.log --bind 127.0.0.1:__PORT__ recipes.wsgi:application
|
||||
Restart=on-failure
|
||||
RestartSec=10
|
||||
|
||||
# Sandboxing options to harden security
|
||||
# Depending on specificities of your service/app, you may need to tweak these
|
||||
# .. but this should be a good baseline
|
||||
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
||||
NoNewPrivileges=yes
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
DevicePolicy=closed
|
||||
ProtectSystem=full
|
||||
ProtectControlGroups=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
LockPersonality=yes
|
||||
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
|
||||
|
||||
# Denying access to capabilities that should not be relevant for webapps
|
||||
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
|
||||
CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
|
||||
CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
|
||||
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
|
||||
CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
|
||||
CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
|
||||
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
|
||||
CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
|
||||
CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
|
||||
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Loading…
Reference in a new issue