mirrors/bookwyrm
1
0
Fork 1
mirror of https://github.com/bookwyrm-social/bookwyrm.git synced 2024-11-27 20:11:14 +00:00
Code Issues Projects Releases Wiki Activity

Add sandboxing to systemd examples

Browse source
This commit is contained in:
Holger Brunn 2023-08-19 12:02:04 +02:00
parent e5f8e4babc
commit 0a9ef9e047
3 changed files with 63 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
contrib/systemd/bookwyrm-scheduler.service
View file

@ -5,10 +5,30 @@ After=network.target postgresql.service redis.service
[Service] [Service]
User=bookwyrm User=bookwyrm
Group=bookwyrm Group=bookwyrm
WorkingDirectory=/opt/bookwyrm/ WorkingDirectory=/opt/bookwyrm
ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler
StandardOutput=journal StandardOutput=journal
StandardError=inherit StandardError=inherit
ProtectSystem=strict
ProtectHome=tmpfs
InaccessiblePaths=-/media -/mnt -/srv
PrivateTmp=yes
TemporaryFileSystem=/var /run /opt
PrivateUsers=true
PrivateDevices=true
BindReadOnlyPaths=/opt/bookwyrm
BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
LockPersonality=yes
MemoryDenyWriteExecute=true
PrivateMounts=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=net
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

22
contrib/systemd/bookwyrm-worker.service
View file

@ -5,10 +5,30 @@ After=network.target postgresql.service redis.service
[Service] [Service]
User=bookwyrm User=bookwyrm
Group=bookwyrm Group=bookwyrm
WorkingDirectory=/opt/bookwyrm/ WorkingDirectory=/opt/bookwyrm
ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,streams,images,suggested_users,email,connectors,lists,inbox,imports,import_triggered,broadcast,misc ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,streams,images,suggested_users,email,connectors,lists,inbox,imports,import_triggered,broadcast,misc
StandardOutput=journal StandardOutput=journal
StandardError=inherit StandardError=inherit
ProtectSystem=strict
ProtectHome=tmpfs
InaccessiblePaths=-/media -/mnt -/srv
PrivateTmp=yes
TemporaryFileSystem=/var /run /opt
PrivateUsers=true
PrivateDevices=true
BindReadOnlyPaths=/opt/bookwyrm
BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
LockPersonality=yes
MemoryDenyWriteExecute=true
PrivateMounts=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=net
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

22
contrib/systemd/bookwyrm.service
View file

@ -5,10 +5,30 @@ After=network.target postgresql.service redis.service
[Service] [Service]
User=bookwyrm User=bookwyrm
Group=bookwyrm Group=bookwyrm
WorkingDirectory=/opt/bookwyrm/ WorkingDirectory=/opt/bookwyrm
ExecStart=/opt/bookwyrm/venv/bin/gunicorn bookwyrm.wsgi:application --bind 0.0.0.0:8000 ExecStart=/opt/bookwyrm/venv/bin/gunicorn bookwyrm.wsgi:application --bind 0.0.0.0:8000
StandardOutput=journal StandardOutput=journal
StandardError=inherit StandardError=inherit
ProtectSystem=strict
ProtectHome=tmpfs
InaccessiblePaths=-/media -/mnt -/srv
PrivateTmp=yes
TemporaryFileSystem=/var /run /opt
PrivateUsers=true
PrivateDevices=true
BindReadOnlyPaths=/opt/bookwyrm
BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
LockPersonality=yes
MemoryDenyWriteExecute=true
PrivateMounts=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=net
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target