switch to uwsgi service
This commit is contained in:
parent
41a5ed92f1
commit
9d23264fb2
3 changed files with 59 additions and 78 deletions
|
|
@ -34,6 +34,8 @@
|
||||||
install -Dm755 ${./fragify.py} $out/bin/fragify
|
install -Dm755 ${./fragify.py} $out/bin/fragify
|
||||||
mkdir -p $out/share/fragify
|
mkdir -p $out/share/fragify
|
||||||
cp -r ${./templates} $out/share/fragify/
|
cp -r ${./templates} $out/share/fragify/
|
||||||
|
# Provide a WSGI entry file for uWSGI to load
|
||||||
|
install -Dm644 ${./fragify.py} $out/share/fragify/fragify_wsgi.py
|
||||||
'';
|
'';
|
||||||
|
|
||||||
meta.mainProgram = "fragify";
|
meta.mainProgram = "fragify";
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,11 @@ class BaseTemplateResource:
|
||||||
|
|
||||||
def _get_template_dir(self):
|
def _get_template_dir(self):
|
||||||
"""Get the template directory path, handling both development and installed environments"""
|
"""Get the template directory path, handling both development and installed environments"""
|
||||||
|
# Allow overriding via environment variable (for packaged deployments)
|
||||||
|
env_dir = os.environ.get('FRAGIFY_TEMPLATES_DIR')
|
||||||
|
if env_dir and os.path.exists(env_dir):
|
||||||
|
return env_dir
|
||||||
|
|
||||||
# Get the directory where this script is located
|
# Get the directory where this script is located
|
||||||
script_dir = os.path.dirname(os.path.abspath(__file__))
|
script_dir = os.path.dirname(os.path.abspath(__file__))
|
||||||
|
|
||||||
|
|
|
||||||
130
module.nix
130
module.nix
|
|
@ -6,93 +6,67 @@
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
|
|
||||||
cfg = config.services.mail-quota-warning;
|
cfg = config.services.fragify;
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
services.fragify = {
|
services.fragify = {
|
||||||
|
|
||||||
enable = lib.mkOption {
|
enable = lib.mkOption {
|
||||||
type = lib.types.bool;
|
type = lib.types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = ''
|
||||||
Enable fragify web application.
|
Enable fragify web application.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
|
||||||
systemd.services."fragify" = {
|
# uWSGI application definition for Fragify
|
||||||
description = "fragify web application";
|
services.uwsgi.enable = true;
|
||||||
after = [ "network.target" ];
|
services.uwsgi.user = "fragify";
|
||||||
wants = [ "network-online.target" ];
|
services.uwsgi.group = "fragify";
|
||||||
environment = {
|
services.uwsgi.plugins = [ "python3" ];
|
||||||
PYTHONUNBUFFERED = "1";
|
services.uwsgi.instance."fragify" = {
|
||||||
};
|
type = "normal";
|
||||||
serviceConfig = {
|
chdir = "/";
|
||||||
Type = "simple";
|
# Load WSGI by file path from the packaged share dir
|
||||||
ExecStart = "${lib.getExe pkgs.fragify}";
|
wsgi-file = "${pkgs.fragify}/share/fragify/fragify_wsgi.py";
|
||||||
WorkingDirectory = "%S/fragify";
|
module = "fragify:app";
|
||||||
StateDirectory = "fragify";
|
pythonPackages = p: with p; [ falcon requests jinja2 ];
|
||||||
User = "fragify";
|
env = {
|
||||||
Group = "fragify";
|
FRAGIFY_TEMPLATES_DIR = "${pkgs.fragify}/share/fragify/templates";
|
||||||
|
};
|
||||||
|
socket = "unix:${config.services.uwsgi.runDir}/fragify.sock";
|
||||||
|
chmod-socket = "660";
|
||||||
|
umask = "0077";
|
||||||
|
vacuum = true;
|
||||||
|
master = true;
|
||||||
|
processes = 2;
|
||||||
|
threads = 2;
|
||||||
|
harakiri = 60;
|
||||||
|
buffer-size = 65535;
|
||||||
|
# Security hardening
|
||||||
|
need-app = true;
|
||||||
|
no-orphans = true;
|
||||||
|
};
|
||||||
|
|
||||||
# hardening
|
# Ensure fragify user and group exist
|
||||||
AmbientCapabilities = "";
|
users.users.fragify = {
|
||||||
CapabilityBoundingSet = "";
|
isSystemUser = true;
|
||||||
DevicePolicy = "closed";
|
group = "fragify";
|
||||||
DynamicUser = false;
|
description = "fragify web application user";
|
||||||
LockPersonality = true;
|
};
|
||||||
MemoryDenyWriteExecute = true;
|
|
||||||
NoNewPrivileges = true;
|
|
||||||
PrivateDevices = true;
|
|
||||||
PrivateTmp = true;
|
|
||||||
PrivateUsers = false;
|
|
||||||
ProcSubset = "pid";
|
|
||||||
ProtectClock = true;
|
|
||||||
ProtectControlGroups = true;
|
|
||||||
ProtectHome = true;
|
|
||||||
ProtectHostname = true;
|
|
||||||
ProtectKernelLogs = true;
|
|
||||||
ProtectKernelModules = true;
|
|
||||||
ProtectKernelTunables = true;
|
|
||||||
ProtectProc = "invisible";
|
|
||||||
ProtectSystem = "strict";
|
|
||||||
RemoveIPC = true;
|
|
||||||
RestrictAddressFamilies = [
|
|
||||||
"AF_INET"
|
|
||||||
"AF_INET6"
|
|
||||||
];
|
|
||||||
RestrictNamespaces = true;
|
|
||||||
RestrictRealtime = true;
|
|
||||||
RestrictSUIDSGID = true;
|
|
||||||
SystemCallArchitectures = "native";
|
|
||||||
SystemCallFilter = [
|
|
||||||
"@system-service"
|
|
||||||
"~@privileged"
|
|
||||||
];
|
|
||||||
UMask = "0077";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Create fragify user and group
|
users.groups.fragify = {};
|
||||||
users.users.fragify = {
|
};
|
||||||
isSystemUser = true;
|
|
||||||
group = "fragify";
|
|
||||||
description = "fragify web application user";
|
|
||||||
};
|
|
||||||
|
|
||||||
users.groups.fragify = {};
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
meta = {
|
|
||||||
maintainers = with lib.maintainers; [ onny ];
|
|
||||||
};
|
|
||||||
|
|
||||||
|
meta = {
|
||||||
|
maintainers = with lib.maintainers; [ onny ];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue