From a39a6afea620fad2a88a171a3813c8bf211f50e2 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 22 May 2025 11:35:32 +0200
Subject: Deploy the webmap CGI.

We also lower tile expiration time from 8h to 30m to reduce the race
condition where the database an the on-disk tiles are not in sync.
---
 files/etc/systemd/system/webmap-cgi.service | 36 +++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 files/etc/systemd/system/webmap-cgi.service

(limited to 'files/etc/systemd/system/webmap-cgi.service')

diff --git a/files/etc/systemd/system/webmap-cgi.service b/files/etc/systemd/system/webmap-cgi.service
new file mode 100644
index 0000000..88f22e5
--- /dev/null
+++ b/files/etc/systemd/system/webmap-cgi.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=Webmap CGI (Common Gateway Interface)
+After=syslog.target network.target postgresql.service
+
+[Service]
+DynamicUser=yes
+User=_webmap-cgi
+# Note: the "WARNING: you have enabled harakiri without post buffering" can
+# be ignored because body requests are in fact buffered on the nginx side
+ExecStart=/usr/bin/uwsgi -M -p2 \
+    --single-interpreter --die-on-term \
+    --close-on-exec --close-on-exec2 \
+    --max-requests 1000 \
+    --max-worker-lifetime 86400 \
+    --max-worker-lifetime-delta 11 \
+    --harakiri 60 \
+    --lazy-apps \
+    --plugins python3 \
+    --pythonpath /usr/local/share/webmap \
+    --wsgi-file /usr/libexec/webmap-cgi
+Nice=10
+RestartSec=15s
+Restart=always
+
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX
+
+[Install]
+WantedBy=multi-user.target
-- 
cgit v1.2.3