snikket_ynh/conf/web.service

[Unit]
### see man systemd.unit
Description=Snikket Web Server
After=network.target remote-fs.target
Documentation=https://snikket.org/service/help/

[Service]
### See man systemd.service ###
# With this configuration, systemd takes care of daemonization
# so Prosody should be configured with daemonize = false
Type=simple

# Not sure if this is needed for 'simple'
RuntimeDirectory=snikket

# Load environment file used by Snikket
EnvironmentFile=/etc/snikket/environment

# Start by executing the main executable
ExecStart=__INSTALL_DIR__/snikket_web/.venv/bin/python3 -m hypercorn -b localhost:__PORT__ --access-logfile=- --log-file=- 'snikket_web:create_app()'

ExecReload=/bin/kill -HUP $MAINPID

# Restart on crashes
Restart=on-abnormal

# Set O_NONBLOCK flag on sockets passed via socket activation
NonBlocking=true

### See man systemd.exec ###

WorkingDirectory=__INSTALL_DIR__

User=__APP__
Group=__APP__

# Nice=0

# Set stdin to /dev/null since Prosody does not need it
StandardInput=null

# Direct stdout/-err to journald for use with log = "*stdout"
StandardOutput=journal
StandardError=inherit

# This usually defaults to 4k or so
# LimitNOFILE=1M

## Interesting protection methods
# Finding a useful combo of these settings would be nice
#
# Needs read access to /etc/prosody for config
# Needs write access to /var/lib/prosody for storing data (for internal storage)
# Needs write access to /var/log/prosody for writing logs (depending on config)
# Needs read access to code and libraries loaded

# ReadWriteDirectories=/var/lib/prosody /var/log/prosody
# InaccessibleDirectories=/boot /home /media /mnt /root /srv
# ReadOnlyDirectories=/usr /etc/prosody

# PrivateTmp=true
# PrivateDevices=true
# PrivateNetwork=false

# ProtectSystem=full
# ProtectHome=true
# ProtectKernelTunables=true
# ProtectControlGroups=true
# SystemCallFilter=

# This should break LuaJIT
# MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target
Install web portal properly For the most part 2024-06-10 01:23:02 +00:00			`[Unit]`
			`### see man systemd.unit`
			`Description=Snikket Web Server`
			`After=network.target remote-fs.target`
			`Documentation=https://snikket.org/service/help/`

			`[Service]`
			`### See man systemd.service ###`
			`# With this configuration, systemd takes care of daemonization`
			`# so Prosody should be configured with daemonize = false`
			`Type=simple`

			`# Not sure if this is needed for 'simple'`
			`RuntimeDirectory=snikket`

			`# Load environment file used by Snikket`
			`EnvironmentFile=/etc/snikket/environment`

			`# Start by executing the main executable`
			`ExecStart=__INSTALL_DIR__/snikket_web/.venv/bin/python3 -m hypercorn -b localhost:__PORT__ --access-logfile=- --log-file=- 'snikket_web:create_app()'`

			`ExecReload=/bin/kill -HUP $MAINPID`

			`# Restart on crashes`
			`Restart=on-abnormal`

			`# Set O_NONBLOCK flag on sockets passed via socket activation`
			`NonBlocking=true`

			`### See man systemd.exec ###`

			`WorkingDirectory=__INSTALL_DIR__`

			`User=__APP__`
			`Group=__APP__`

			`# Nice=0`

			`# Set stdin to /dev/null since Prosody does not need it`
			`StandardInput=null`

			`# Direct stdout/-err to journald for use with log = "*stdout"`
			`StandardOutput=journal`
			`StandardError=inherit`

			`# This usually defaults to 4k or so`
			`# LimitNOFILE=1M`

			`## Interesting protection methods`
			`# Finding a useful combo of these settings would be nice`
			`#`
			`# Needs read access to /etc/prosody for config`
			`# Needs write access to /var/lib/prosody for storing data (for internal storage)`
			`# Needs write access to /var/log/prosody for writing logs (depending on config)`
			`# Needs read access to code and libraries loaded`

			`# ReadWriteDirectories=/var/lib/prosody /var/log/prosody`
			`# InaccessibleDirectories=/boot /home /media /mnt /root /srv`
			`# ReadOnlyDirectories=/usr /etc/prosody`

			`# PrivateTmp=true`
			`# PrivateDevices=true`
			`# PrivateNetwork=false`

			`# ProtectSystem=full`
			`# ProtectHome=true`
			`# ProtectKernelTunables=true`
			`# ProtectControlGroups=true`
			`# SystemCallFilter=`

			`# This should break LuaJIT`
			`# MemoryDenyWriteExecute=true`

			`[Install]`
			`WantedBy=multi-user.target`