mise en place package

2026-03-08 08:26:43 +01:00
commit 38ff196192
9 changed files with 650 additions and 0 deletions
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -0,0 +1,34 @@
+
+location __PATH__/static/ {
+    # Service static files by nginx
+    # e.g.: /var/www/$app/static/
+    alias __INSTALL_DIR__/static/;
+    expires 30d;
+}
+
+location __PATH__/ {
+    # https://github.com/benoitc/gunicorn/blob/master/examples/nginx.conf
+
+    # this is needed if you have file import via upload enabled
+    client_max_body_size 100M;
+
+    proxy_http_version 1.1;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Protocol $scheme;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Scheme $scheme;
+
+    # Sets `HTTP_YNH_USER` used in django_yunohost_integration
+    proxy_set_header Ynh-User $http_ynh_user;
+
+    proxy_read_timeout 30;
+    proxy_send_timeout 30;
+    proxy_connect_timeout 30;
+    proxy_redirect off;
+
+    proxy_pass http://127.0.0.1:__PORT__;
+
+    # Include SSOWAT user panel.
+    include conf.d/yunohost_panel.conf.inc;
+}
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -0,0 +1,55 @@
+
+
+[Unit]
+Description=__APP__ gunicorn server
+After=network.target
+
+[Service]
+Type=simple
+User=__APP__
+Group=www-data
+WorkingDirectory=__INSTALL_DIR__/
+ExecStart=__INSTALL_DIR__/venv/bin/gunicorn \
+  -c gunicorn.conf.py \
+  djsiteweb.wsgi:application
+Restart=always
+RestartSec=3
+StandardOutput=append:/var/log/__APP__/__APP__.log
+StandardError=inherit
+
+### Depending on specificities of your service/app, you may need to tweak these
+### .. but this should be a good baseline
+# Sandboxing options to harden security
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
+[Install]
+WantedBy=multi-user.target