forked from username/flaskpaste
cf458347ef
Systemd deployment: - examples/flaskpaste.service with security hardening - examples/flaskpaste.env with all config options - README deployment section updated Rate limit headers (X-RateLimit-*): - Limit, Remaining, Reset on 201 and 429 responses - Per-IP tracking with auth multiplier - api.md documented
84 lines
1.9 KiB
Desktop File
84 lines
1.9 KiB
Desktop File
# FlaskPaste systemd service unit
|
|
# Install: sudo cp flaskpaste.service /etc/systemd/system/
|
|
# Enable: sudo systemctl daemon-reload && sudo systemctl enable --now flaskpaste
|
|
#
|
|
# Configuration via environment file: /etc/flaskpaste/env
|
|
# See README.md for all available environment variables
|
|
|
|
[Unit]
|
|
Description=FlaskPaste REST API pastebin
|
|
Documentation=https://github.com/username/flaskpaste
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=exec
|
|
User=flaskpaste
|
|
Group=flaskpaste
|
|
WorkingDirectory=/opt/flaskpaste
|
|
|
|
# Environment configuration
|
|
EnvironmentFile=-/etc/flaskpaste/env
|
|
|
|
# Gunicorn WSGI server
|
|
# Workers = 2 * CPU cores + 1 (adjust based on load)
|
|
ExecStart=/opt/flaskpaste/venv/bin/gunicorn \
|
|
--bind 127.0.0.1:5000 \
|
|
--workers 4 \
|
|
--worker-class sync \
|
|
--timeout 30 \
|
|
--keep-alive 5 \
|
|
--max-requests 1000 \
|
|
--max-requests-jitter 50 \
|
|
--access-logfile - \
|
|
--error-logfile - \
|
|
--capture-output \
|
|
wsgi:app
|
|
|
|
# Restart policy
|
|
Restart=on-failure
|
|
RestartSec=5s
|
|
StartLimitIntervalSec=60
|
|
StartLimitBurst=3
|
|
|
|
# Resource limits
|
|
LimitNOFILE=65536
|
|
LimitNPROC=4096
|
|
|
|
# Security hardening (systemd v232+)
|
|
NoNewPrivileges=yes
|
|
PrivateTmp=yes
|
|
PrivateDevices=yes
|
|
ProtectSystem=strict
|
|
ProtectHome=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectControlGroups=yes
|
|
ProtectClock=yes
|
|
ProtectHostname=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
RestrictNamespaces=yes
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@privileged @resources
|
|
|
|
# Read-write paths (database, data directory)
|
|
ReadWritePaths=/opt/flaskpaste/data
|
|
|
|
# Capabilities
|
|
CapabilityBoundingSet=
|
|
AmbientCapabilities=
|
|
|
|
# Logging
|
|
StandardOutput=journal
|
|
StandardError=journal
|
|
SyslogIdentifier=flaskpaste
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|