username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
flaskpaste/examples/flaskpaste.service
Username cf458347ef
All checks were successful
CI / Lint & Format (push) Successful in 18s
Details
CI / Security Scan (push) Successful in 23s
Details
CI / Memory Leak Check (push) Successful in 21s
Details
CI / Tests (push) Successful in 1m16s
Details
add systemd service unit and rate limit headers 
Systemd deployment:
- examples/flaskpaste.service with security hardening
- examples/flaskpaste.env with all config options
- README deployment section updated

Rate limit headers (X-RateLimit-*):
- Limit, Remaining, Reset on 201 and 429 responses
- Per-IP tracking with auth multiplier
- api.md documented
2025-12-24 17:51:14 +01:00

84 lines
1.9 KiB
Desktop File
Raw Permalink Blame History

# FlaskPaste systemd service unit
# Install: sudo cp flaskpaste.service /etc/systemd/system/
# Enable: sudo systemctl daemon-reload && sudo systemctl enable --now flaskpaste
#
# Configuration via environment file: /etc/flaskpaste/env
# See README.md for all available environment variables
[Unit]
Description=FlaskPaste REST API pastebin
Documentation=https://github.com/username/flaskpaste
After=network-online.target
Wants=network-online.target
[Service]
Type=exec
User=flaskpaste
Group=flaskpaste
WorkingDirectory=/opt/flaskpaste
# Environment configuration
EnvironmentFile=-/etc/flaskpaste/env
# Gunicorn WSGI server
# Workers = 2 * CPU cores + 1 (adjust based on load)
ExecStart=/opt/flaskpaste/venv/bin/gunicorn \
--bind 127.0.0.1:5000 \
--workers 4 \
--worker-class sync \
--timeout 30 \
--keep-alive 5 \
--max-requests 1000 \
--max-requests-jitter 50 \
--access-logfile - \
--error-logfile - \
--capture-output \
wsgi:app
# Restart policy
Restart=on-failure
RestartSec=5s
StartLimitIntervalSec=60
StartLimitBurst=3
# Resource limits
LimitNOFILE=65536
LimitNPROC=4096
# Security hardening (systemd v232+)
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectClock=yes
ProtectHostname=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
LockPersonality=yes
MemoryDenyWriteExecute=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
# Read-write paths (database, data directory)
ReadWritePaths=/opt/flaskpaste/data
# Capabilities
CapabilityBoundingSet=
AmbientCapabilities=
# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=flaskpaste
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink