mirror of
https://github.com/bookwyrm-social/bookwyrm.git
synced 2024-11-25 11:01:12 +00:00
Merge pull request #2960 from hbrunn/main-systemd-sandboxing
Add sandboxing to systemd examples
This commit is contained in:
commit
912269303e
3 changed files with 63 additions and 3 deletions
|
@ -5,10 +5,30 @@ After=network.target postgresql.service redis.service
|
|||
[Service]
|
||||
User=bookwyrm
|
||||
Group=bookwyrm
|
||||
WorkingDirectory=/opt/bookwyrm/
|
||||
WorkingDirectory=/opt/bookwyrm
|
||||
ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler
|
||||
StandardOutput=journal
|
||||
StandardError=inherit
|
||||
ProtectSystem=strict
|
||||
ProtectHome=tmpfs
|
||||
InaccessiblePaths=-/media -/mnt -/srv
|
||||
PrivateTmp=yes
|
||||
TemporaryFileSystem=/var /run /opt
|
||||
PrivateUsers=true
|
||||
PrivateDevices=true
|
||||
BindReadOnlyPaths=/opt/bookwyrm
|
||||
BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=true
|
||||
PrivateMounts=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
RestrictNamespaces=net
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
@ -5,10 +5,30 @@ After=network.target postgresql.service redis.service
|
|||
[Service]
|
||||
User=bookwyrm
|
||||
Group=bookwyrm
|
||||
WorkingDirectory=/opt/bookwyrm/
|
||||
WorkingDirectory=/opt/bookwyrm
|
||||
ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,streams,images,suggested_users,email,connectors,lists,inbox,imports,import_triggered,broadcast,misc
|
||||
StandardOutput=journal
|
||||
StandardError=inherit
|
||||
ProtectSystem=strict
|
||||
ProtectHome=tmpfs
|
||||
InaccessiblePaths=-/media -/mnt -/srv
|
||||
PrivateTmp=yes
|
||||
TemporaryFileSystem=/var /run /opt
|
||||
PrivateUsers=true
|
||||
PrivateDevices=true
|
||||
BindReadOnlyPaths=/opt/bookwyrm
|
||||
BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=true
|
||||
PrivateMounts=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
RestrictNamespaces=net
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
@ -5,10 +5,30 @@ After=network.target postgresql.service redis.service
|
|||
[Service]
|
||||
User=bookwyrm
|
||||
Group=bookwyrm
|
||||
WorkingDirectory=/opt/bookwyrm/
|
||||
WorkingDirectory=/opt/bookwyrm
|
||||
ExecStart=/opt/bookwyrm/venv/bin/gunicorn bookwyrm.wsgi:application --bind 0.0.0.0:8000
|
||||
StandardOutput=journal
|
||||
StandardError=inherit
|
||||
ProtectSystem=strict
|
||||
ProtectHome=tmpfs
|
||||
InaccessiblePaths=-/media -/mnt -/srv
|
||||
PrivateTmp=yes
|
||||
TemporaryFileSystem=/var /run /opt
|
||||
PrivateUsers=true
|
||||
PrivateDevices=true
|
||||
BindReadOnlyPaths=/opt/bookwyrm
|
||||
BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=true
|
||||
PrivateMounts=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectControlGroups=true
|
||||
RestrictRealtime=true
|
||||
RestrictNamespaces=net
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
Loading…
Reference in a new issue