summaryrefslogtreecommitdiffstats
path: root/files/etc/systemd/system/webmap-cgi.service
diff options
context:
space:
mode:
Diffstat (limited to 'files/etc/systemd/system/webmap-cgi.service')
-rw-r--r--files/etc/systemd/system/webmap-cgi.service36
1 files changed, 36 insertions, 0 deletions
diff --git a/files/etc/systemd/system/webmap-cgi.service b/files/etc/systemd/system/webmap-cgi.service
new file mode 100644
index 0000000..88f22e5
--- /dev/null
+++ b/files/etc/systemd/system/webmap-cgi.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface)
+After=syslog.target network.target postgresql.service
+
+[Service]
+DynamicUser=yes
+User=_webmap-cgi
+# Note: the "WARNING: you have enabled harakiri without post buffering" can
+# be ignored because body requests are in fact buffered on the nginx side
+ExecStart=/usr/bin/uwsgi -M -p2 \
+ --single-interpreter --die-on-term \
+ --close-on-exec --close-on-exec2 \
+ --max-requests 1000 \
+ --max-worker-lifetime 86400 \
+ --max-worker-lifetime-delta 11 \
+ --harakiri 60 \
+ --lazy-apps \
+ --plugins python3 \
+ --pythonpath /usr/local/share/webmap \
+ --wsgi-file /usr/libexec/webmap-cgi
+Nice=10
+RestartSec=15s
+Restart=always
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX
+
+[Install]
+WantedBy=multi-user.target
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-02 14:02:59 +0000