summaryrefslogtreecommitdiffstats
path: root/templates/etc/systemd
diff options
context:
space:
mode:
Diffstat (limited to 'templates/etc/systemd')
-rw-r--r--templates/etc/systemd/network/01-wired.network.j28
-rw-r--r--templates/etc/systemd/system/geodata-update@.timer.d/override.conf.j23
-rw-r--r--templates/etc/systemd/system/webmap-cgi.service37
3 files changed, 44 insertions, 4 deletions
diff --git a/templates/etc/systemd/network/01-wired.network.j2 b/templates/etc/systemd/network/01-wired.network.j2
index 7be5d21..dc85b2e 100644
--- a/templates/etc/systemd/network/01-wired.network.j2
+++ b/templates/etc/systemd/network/01-wired.network.j2
@@ -1,13 +1,13 @@
[Match]
-Name={{ ansible_default_ipv4.interface }}
+Name={{ ansible_facts.default_ipv4.interface }}
[Network]
DHCP=yes
-{% if ansible_default_ipv6.get('scope', '') == 'global' %}
+{% if ansible_facts.default_ipv6.get('scope', '') == 'global' %}
[Address]
-Address={{ ansible_default_ipv6.address }}/{{ ansible_default_ipv6.prefix }}
+Address={{ ansible_facts.default_ipv6.address }}/{{ ansible_facts.default_ipv6.prefix }}
[Route]
-Gateway={{ ansible_default_ipv6.gateway }}
+Gateway={{ ansible_facts.default_ipv6.gateway }}
{%- endif %}
diff --git a/templates/etc/systemd/system/geodata-update@.timer.d/override.conf.j2 b/templates/etc/systemd/system/geodata-update@.timer.d/override.conf.j2
new file mode 100644
index 0000000..103fbde
--- /dev/null
+++ b/templates/etc/systemd/system/geodata-update@.timer.d/override.conf.j2
@@ -0,0 +1,3 @@
+[Timer]
+OnCalendar=
+OnCalendar={{ geodata_layer_groups_update_calendar[item] }}
diff --git a/templates/etc/systemd/system/webmap-cgi.service b/templates/etc/systemd/system/webmap-cgi.service
new file mode 100644
index 0000000..9c9ffe9
--- /dev/null
+++ b/templates/etc/systemd/system/webmap-cgi.service
@@ -0,0 +1,37 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface)
+After=syslog.target network.target postgresql.service
+StopPropagatedFrom=postgresql.service postgresql@{{ postgresql.version }}-{{ postgresql.cluster }}.service
+
+[Service]
+DynamicUser=yes
+User=_webmap-cgi
+# Note: the "WARNING: you have enabled harakiri without post buffering" can
+# be ignored because body requests are in fact buffered on the nginx side
+ExecStart=/usr/bin/uwsgi -M -p2 \
+ --single-interpreter --die-on-term \
+ --close-on-exec --close-on-exec2 \
+ --max-requests 1000 \
+ --max-worker-lifetime 86400 \
+ --max-worker-lifetime-delta 11 \
+ --harakiri 60 \
+ --lazy-apps \
+ --plugins python3 \
+ --pythonpath /usr/local/share/geodata \
+ --wsgi-file /usr/local/libexec/webmap-cgi
+Nice=10
+RestartSec=15s
+Restart=always
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX
+
+[Install]
+WantedBy=multi-user.target
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-13 14:15:00 +0000