CGI: Propagate stops from PostgreSQL.

1 files changed, 37 insertions, 0 deletions

diff --git a/templates/etc/systemd/system/webmap-cgi.service b/templates/etc/systemd/system/webmap-cgi.service
new file mode 100644
index 0000000..146a5ed
--- /dev/null
+++ b/templates/etc/systemd/system/webmap-cgi.service
@@ -0,0 +1,37 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface)
+After=syslog.target network.target postgresql.service
+StopPropagatedFrom=postgresql.service postgresql@{{ postgresql.version }}-{{ postgresql.cluster }}.service
+
+[Service]
+DynamicUser=yes
+User=_webmap-cgi
+# Note: the "WARNING: you have enabled harakiri without post buffering" can
+# be ignored because body requests are in fact buffered on the nginx side
+ExecStart=/usr/bin/uwsgi -M -p2 \
+    --single-interpreter --die-on-term \
+    --close-on-exec --close-on-exec2 \
+    --max-requests 1000 \
+    --max-worker-lifetime 86400 \
+    --max-worker-lifetime-delta 11 \
+    --harakiri 60 \
+    --lazy-apps \
+    --plugins python3 \
+    --pythonpath /usr/local/share/webmap \
+    --wsgi-file /usr/libexec/webmap-cgi
+Nice=10
+RestartSec=15s
+Restart=always
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX
+
+[Install]
+WantedBy=multi-user.target