diff options
Diffstat (limited to 'files/etc/systemd/system')
| -rw-r--r-- | files/etc/systemd/system/webmap-cgi.service | 36 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-cgi.socket | 11 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-download@.service | 37 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-import@.service | 37 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-update@.target | 3 | ||||
| -rw-r--r-- | files/etc/systemd/system/webmap-update@.timer | 11 |
6 files changed, 135 insertions, 0 deletions
diff --git a/files/etc/systemd/system/webmap-cgi.service b/files/etc/systemd/system/webmap-cgi.service new file mode 100644 index 0000000..88f22e5 --- /dev/null +++ b/files/etc/systemd/system/webmap-cgi.service @@ -0,0 +1,36 @@ +[Unit] +Description=Webmap CGI (Common Gateway Interface) +After=syslog.target network.target postgresql.service + +[Service] +DynamicUser=yes +User=_webmap-cgi +# Note: the "WARNING: you have enabled harakiri without post buffering" can +# be ignored because body requests are in fact buffered on the nginx side +ExecStart=/usr/bin/uwsgi -M -p2 \ + --single-interpreter --die-on-term \ + --close-on-exec --close-on-exec2 \ + --max-requests 1000 \ + --max-worker-lifetime 86400 \ + --max-worker-lifetime-delta 11 \ + --harakiri 60 \ + --lazy-apps \ + --plugins python3 \ + --pythonpath /usr/local/share/webmap \ + --wsgi-file /usr/libexec/webmap-cgi +Nice=10 +RestartSec=15s +Restart=always + +# Hardening +NoNewPrivileges=yes +ProtectHome=yes +ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX + +[Install] +WantedBy=multi-user.target diff --git a/files/etc/systemd/system/webmap-cgi.socket b/files/etc/systemd/system/webmap-cgi.socket new file mode 100644 index 0000000..2828985 --- /dev/null +++ b/files/etc/systemd/system/webmap-cgi.socket @@ -0,0 +1,11 @@ +[Unit] +Description=Webmap CGI (Common Gateway Interface) activation socket +After=syslog.target network.target + +[Socket] +ListenStream=%t/webmap-cgi.socket +SocketUser=www-data +SocketMode=0666 + +[Install] +WantedBy=sockets.target diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service new file mode 100644 index 0000000..d7a49dc --- /dev/null +++ b/files/etc/systemd/system/webmap-download@.service @@ -0,0 +1,37 @@ +[Unit] +Description=Webmap updater service (download ‘%I’) +# Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671 +# XXX Looks like Upholds= prevents running a single unit, as it causes +# webmap-update@%i.target to start upon `systemctl start webmap-download@foo.service` +After=network-online.target webmap-update@%i.target +Upholds=webmap-update@%i.target + +[Service] +User=_webmap-download +Group=_webmap + +Nice=15 +IOSchedulingClass=idle + +Type=oneshot +ExecStart=/usr/local/bin/webmap-download \ + --cachedir=%C/webmap \ + --lockdir=%t/lock/webmap/cache \ + --no-exit-code \ + --quiet \ + -- %I + +# Hardening +NoNewPrivileges=yes +ProtectHome=yes +ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ReadWritePaths=%C/webmap +ReadWritePaths=%t/lock/webmap/cache + +[Install] +WantedBy=webmap-update@%i.target diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service new file mode 100644 index 0000000..964c37d --- /dev/null +++ b/files/etc/systemd/system/webmap-import@.service @@ -0,0 +1,37 @@ +[Unit] +Description=Webmap updater service (import ‘%I’ to PostGIS) +After=postgresql.service webmap-update@%i.target +After=webmap-download@%i.service +Upholds=webmap-update@%i.target + +[Service] +User=_webmap +Group=_webmap + +Nice=15 +IOSchedulingClass=idle + +Type=oneshot +ExecStart=/usr/local/bin/webmap-import \ + --cachedir=%C/webmap \ + --lockfile=%t/lock/webmap/lock \ + --lockdir-sources=%t/lock/webmap/cache \ + --mvtdir=/var/www/webmap/tiles/%I \ + --mvt-compress \ + -- %I + +# Hardening +NoNewPrivileges=yes +ProtectHome=yes +ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ReadWritePaths=%t/lock/webmap +ReadWritePaths=/var/www/webmap/tiles +PrivateTmp=yes + +[Install] +WantedBy=webmap-update@%i.target diff --git a/files/etc/systemd/system/webmap-update@.target b/files/etc/systemd/system/webmap-update@.target new file mode 100644 index 0000000..840de96 --- /dev/null +++ b/files/etc/systemd/system/webmap-update@.target @@ -0,0 +1,3 @@ +[Unit] +Description=Webmap updater (target unit ‘%I’) +StopWhenUnneeded=true diff --git a/files/etc/systemd/system/webmap-update@.timer b/files/etc/systemd/system/webmap-update@.timer new file mode 100644 index 0000000..74fb848 --- /dev/null +++ b/files/etc/systemd/system/webmap-update@.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Webmap updater (timer unit) + +[Timer] +OnCalendar=*-*-* 01:00:00 +AccuracySec=1s +RandomizedDelaySec=3599 +Unit=webmap-update@%i.target + +[Install] +WantedBy=timers.target |