12345678910111213141516171819202122232425262728293031323334 |
- [Unit]
- Description=BookWyrm
- After=network.target postgresql.service redis.service
- [Service]
- User=bookwyrm
- Group=bookwyrm
- WorkingDirectory=/opt/bookwyrm
- ExecStart=/opt/bookwyrm/venv/bin/gunicorn bookwyrm.wsgi:application --bind 0.0.0.0:8000
- StandardOutput=journal
- StandardError=inherit
- ProtectSystem=strict
- ProtectHome=tmpfs
- InaccessiblePaths=-/media -/mnt -/srv
- PrivateTmp=yes
- TemporaryFileSystem=/var /run /opt
- PrivateUsers=true
- PrivateDevices=true
- BindReadOnlyPaths=/opt/bookwyrm
- BindPaths=/opt/bookwyrm/images /opt/bookwyrm/static /var/run/postgresql
- LockPersonality=yes
- MemoryDenyWriteExecute=true
- PrivateMounts=true
- ProtectHostname=true
- ProtectClock=true
- ProtectKernelTunables=true
- ProtectKernelModules=true
- ProtectKernelLogs=true
- ProtectControlGroups=true
- RestrictRealtime=true
- RestrictNamespaces=net
- [Install]
- WantedBy=multi-user.target
|