From f146f24c652b130451e2e06ad10b84c2a7c704f2 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 21 Aug 2025 17:02:08 +0200 Subject: CGI: Propagate stops from PostgreSQL. --- files/etc/systemd/system/webmap-cgi.service | 36 ------------------------ tasks/webmap.yml | 8 +++--- templates/etc/systemd/system/webmap-cgi.service | 37 +++++++++++++++++++++++++ 3 files changed, 41 insertions(+), 40 deletions(-) delete mode 100644 files/etc/systemd/system/webmap-cgi.service create mode 100644 templates/etc/systemd/system/webmap-cgi.service diff --git a/files/etc/systemd/system/webmap-cgi.service b/files/etc/systemd/system/webmap-cgi.service deleted file mode 100644 index 88f22e5..0000000 --- a/files/etc/systemd/system/webmap-cgi.service +++ /dev/null @@ -1,36 +0,0 @@ -[Unit] -Description=Webmap CGI (Common Gateway Interface) -After=syslog.target network.target postgresql.service - -[Service] -DynamicUser=yes -User=_webmap-cgi -# Note: the "WARNING: you have enabled harakiri without post buffering" can -# be ignored because body requests are in fact buffered on the nginx side -ExecStart=/usr/bin/uwsgi -M -p2 \ - --single-interpreter --die-on-term \ - --close-on-exec --close-on-exec2 \ - --max-requests 1000 \ - --max-worker-lifetime 86400 \ - --max-worker-lifetime-delta 11 \ - --harakiri 60 \ - --lazy-apps \ - --plugins python3 \ - --pythonpath /usr/local/share/webmap \ - --wsgi-file /usr/libexec/webmap-cgi -Nice=10 -RestartSec=15s -Restart=always - -# Hardening -NoNewPrivileges=yes -ProtectHome=yes -ProtectSystem=strict -PrivateDevices=yes -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -RestrictAddressFamilies=AF_UNIX - -[Install] -WantedBy=multi-user.target diff --git a/tasks/webmap.yml b/tasks/webmap.yml index 2db575d..35c9801 100644 --- a/tasks/webmap.yml +++ b/tasks/webmap.yml @@ -426,10 +426,10 @@ - systemctl daemon-reload - name: Copy webmap-cgi.service - copy: src=etc/systemd/system/webmap-cgi.service - dest=/etc/systemd/system/webmap-cgi.service - owner=root group=root - mode=0644 + template: src=etc/systemd/system/webmap-cgi.service + dest=/etc/systemd/system/webmap-cgi.service + owner=root group=root + mode=0644 notify: - systemctl daemon-reload - Stop webmap-cgi.service diff --git a/templates/etc/systemd/system/webmap-cgi.service b/templates/etc/systemd/system/webmap-cgi.service new file mode 100644 index 0000000..146a5ed --- /dev/null +++ b/templates/etc/systemd/system/webmap-cgi.service @@ -0,0 +1,37 @@ +[Unit] +Description=Webmap CGI (Common Gateway Interface) +After=syslog.target network.target postgresql.service +StopPropagatedFrom=postgresql.service postgresql@{{ postgresql.version }}-{{ postgresql.cluster }}.service + +[Service] +DynamicUser=yes +User=_webmap-cgi +# Note: the "WARNING: you have enabled harakiri without post buffering" can +# be ignored because body requests are in fact buffered on the nginx side +ExecStart=/usr/bin/uwsgi -M -p2 \ + --single-interpreter --die-on-term \ + --close-on-exec --close-on-exec2 \ + --max-requests 1000 \ + --max-worker-lifetime 86400 \ + --max-worker-lifetime-delta 11 \ + --harakiri 60 \ + --lazy-apps \ + --plugins python3 \ + --pythonpath /usr/local/share/webmap \ + --wsgi-file /usr/libexec/webmap-cgi +Nice=10 +RestartSec=15s +Restart=always + +# Hardening +NoNewPrivileges=yes +ProtectHome=yes +ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX + +[Install] +WantedBy=multi-user.target -- cgit v1.2.3