Skip to content

Commit

Permalink
fixup! Add sandboxing to systemd examples
Browse files Browse the repository at this point in the history
  • Loading branch information
hbrunn committed Aug 24, 2023
1 parent 8e8d850 commit bd765a7
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 9 deletions.
7 changes: 4 additions & 3 deletions contrib/systemd/bookwyrm-scheduler.service
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,16 @@ After=network.target postgresql.service redis.service
[Service]
User=bookwyrm
Group=bookwyrm
WorkingDirectory=/opt/bookwyrm/
WorkingDirectory=/opt/bookwyrm
ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm beat -l INFO --scheduler django_celery_beat.schedulers:DatabaseScheduler
StandardOutput=journal
StandardError=inherit
ProtectSystem=strict
ProtectHome=tmpfs
InaccessiblePaths=-/media -/mnt -/srv
TemporaryFileSystem=/tmp /var /run
BindPaths=/run/postgresql /var/run/postgresql /var/tmp /opt/bookwyrm
PrivateTmp=yes
TemporaryFileSystem=/var /run /opt
BindPaths=/opt/bookwyrm /var/run/postgresql
PrivateUsers=true

[Install]
Expand Down
7 changes: 4 additions & 3 deletions contrib/systemd/bookwyrm-worker.service
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,16 @@ After=network.target postgresql.service redis.service
[Service]
User=bookwyrm
Group=bookwyrm
WorkingDirectory=/opt/bookwyrm/
WorkingDirectory=/opt/bookwyrm
ExecStart=/opt/bookwyrm/venv/bin/celery -A celerywyrm worker -l info -Q high_priority,medium_priority,low_priority,streams,images,suggested_users,email,connectors,lists,inbox,imports,import_triggered,broadcast,misc
StandardOutput=journal
StandardError=inherit
ProtectSystem=strict
ProtectHome=tmpfs
InaccessiblePaths=-/media -/mnt -/srv
TemporaryFileSystem=/tmp /var /run
BindPaths=/run/postgresql /var/run/postgresql /var/tmp /opt/bookwyrm
PrivateTmp=yes
TemporaryFileSystem=/var /run /opt
BindPaths=/opt/bookwyrm /var/run/postgresql
PrivateUsers=true

[Install]
Expand Down
7 changes: 4 additions & 3 deletions contrib/systemd/bookwyrm.service
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,16 @@ After=network.target postgresql.service redis.service
[Service]
User=bookwyrm
Group=bookwyrm
WorkingDirectory=/opt/bookwyrm/
WorkingDirectory=/opt/bookwyrm
ExecStart=/opt/bookwyrm/venv/bin/gunicorn bookwyrm.wsgi:application --bind 0.0.0.0:8000
StandardOutput=journal
StandardError=inherit
ProtectSystem=strict
ProtectHome=tmpfs
InaccessiblePaths=-/media -/mnt -/srv
TemporaryFileSystem=/tmp /var /run
BindPaths=/run/postgresql /var/run/postgresql /var/tmp /opt/bookwyrm
PrivateTmp=yes
TemporaryFileSystem=/var /run /opt
BindPaths=/opt/bookwyrm /var/run/postgresql
PrivateUsers=true

[Install]
Expand Down

0 comments on commit bd765a7

Please sign in to comment.