templates/etc/systemd/system/webmap-cgi.service


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

[Unit]
Description=Webmap CGI (Common Gateway Interface)
After=syslog.target network.target postgresql.service
StopPropagatedFrom=postgresql.service postgresql@{{ postgresql.version }}-{{ postgresql.cluster }}.service

[Service]
DynamicUser=yes
User=_webmap-cgi
# Note: the "WARNING: you have enabled harakiri without post buffering" can
# be ignored because body requests are in fact buffered on the nginx side
ExecStart=/usr/bin/uwsgi -M -p2 \
    --single-interpreter --die-on-term \
    --close-on-exec --close-on-exec2 \
    --max-requests 1000 \
    --max-worker-lifetime 86400 \
    --max-worker-lifetime-delta 11 \
    --harakiri 60 \
    --lazy-apps \
    --plugins python3 \
    --pythonpath /usr/local/share/webmap \
    --wsgi-file /usr/libexec/webmap-cgi
Nice=10
RestartSec=15s
Restart=always

# Hardening
NoNewPrivileges=yes
ProtectHome=yes
ProtectSystem=strict
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX

[Install]
WantedBy=multi-user.target