[Unit]
Description=Webmap CGI (Common Gateway Interface)
After=syslog.target network.target postgresql.service

[Service]
DynamicUser=yes
User=_webmap-cgi
# Note: the "WARNING: you have enabled harakiri without post buffering" can
# be ignored because body requests are in fact buffered on the nginx side
ExecStart=/usr/bin/uwsgi -M -p2 \
    --single-interpreter --die-on-term \
    --close-on-exec --close-on-exec2 \
    --max-requests 1000 \
    --max-worker-lifetime 86400 \
    --max-worker-lifetime-delta 11 \
    --harakiri 60 \
    --lazy-apps \
    --plugins python3 \
    --pythonpath /usr/local/share/webmap \
    --wsgi-file /usr/libexec/webmap-cgi
Nice=10
RestartSec=15s
Restart=always

# Hardening
NoNewPrivileges=yes
ProtectHome=yes
ProtectSystem=strict
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX

[Install]
WantedBy=multi-user.target