2022-11-15 15:32:12 +00:00
|
|
|
[Unit]
|
|
|
|
Description=BookWyrm
|
2022-12-30 16:35:11 +00:00
|
|
|
After=network.target postgresql.service redis.service
|
2022-11-15 15:32:12 +00:00
|
|
|
|
|
|
|
[Service]
|
|
|
|
User=bookwyrm
|
|
|
|
Group=bookwyrm
|
2023-08-19 10:02:04 +00:00
|
|
|
WorkingDirectory=/opt/bookwyrm
|
2022-11-15 15:32:12 +00:00
|
|
|
ExecStart=/opt/bookwyrm/venv/bin/gunicorn bookwyrm.wsgi:application --bind 0.0.0.0:8000
|
|
|
|
StandardOutput=journal
|
|
|
|
StandardError=inherit
|
2023-08-19 10:02:04 +00:00
|
|
|
ProtectSystem=strict
|
|
|
|
ProtectHome=tmpfs
|
|
|
|
InaccessiblePaths=-/media -/mnt -/srv
|
|
|
|
PrivateTmp=yes
|
|
|
|
TemporaryFileSystem=/var /run /opt
|
|
|
|
PrivateUsers=true
|
|
|
|
PrivateDevices=true
|
|
|
|
BindReadOnlyPaths=/opt/bookwyrm
|
|
|
|
BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
|
|
|
|
LockPersonality=yes
|
|
|
|
MemoryDenyWriteExecute=true
|
|
|
|
PrivateMounts=true
|
|
|
|
ProtectHostname=true
|
|
|
|
ProtectClock=true
|
|
|
|
ProtectKernelTunables=true
|
|
|
|
ProtectKernelModules=true
|
|
|
|
ProtectKernelLogs=true
|
|
|
|
ProtectControlGroups=true
|
|
|
|
RestrictRealtime=true
|
|
|
|
RestrictNamespaces=net
|
2022-11-15 15:32:12 +00:00
|
|
|
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|