🎉 Added production setup documentation and scripts, improved firewall configuration, and updated systemd services for production environment. 🖥️🔒📡
This commit is contained in:
@@ -1,8 +1,8 @@
|
||||
[Unit]
|
||||
Description=MYP Kiosk Browser Autostart (Chromium HTTPS) - Wartungsfreier Produktionsbetrieb
|
||||
Documentation=https://github.com/MYP-Druckerverwaltung
|
||||
After=graphical-session.target myp-https.service network-online.target
|
||||
Wants=myp-https.service network-online.target
|
||||
After=graphical-session.target myp-production.service network-online.target
|
||||
Wants=myp-production.service network-online.target
|
||||
Requires=graphical-session.target
|
||||
StartLimitBurst=5
|
||||
StartLimitInterval=600
|
||||
@@ -33,17 +33,20 @@ ExecStartPre=/bin/bash -c '\
|
||||
sleep 2; \
|
||||
done; \
|
||||
\
|
||||
# Warte auf HTTP-Backend mit verbesserter Erkennung \
|
||||
echo "🔍 Warte auf HTTP Backend..."; \
|
||||
# Warte auf HTTPS-Backend (Port 443) \
|
||||
echo "🔍 Warte auf HTTPS Backend (Port 443)..."; \
|
||||
for i in {1..120}; do \
|
||||
if curl -s --connect-timeout 3 --max-time 5 http://localhost:5000/api/kiosk/status >/dev/null 2>&1; then \
|
||||
echo "✅ HTTP Backend erreichbar und API verfügbar"; \
|
||||
if curl -k -s --connect-timeout 3 --max-time 5 https://localhost:443/api/kiosk/status >/dev/null 2>&1; then \
|
||||
echo "✅ HTTPS Backend erreichbar und API verfügbar"; \
|
||||
break; \
|
||||
elif curl -s --connect-timeout 3 --max-time 5 http://localhost:5000 >/dev/null 2>&1; then \
|
||||
echo "✅ HTTP Backend erreichbar"; \
|
||||
elif curl -k -s --connect-timeout 3 --max-time 5 https://localhost:443 >/dev/null 2>&1; then \
|
||||
echo "✅ HTTPS Backend erreichbar"; \
|
||||
break; \
|
||||
elif curl -k -s --connect-timeout 3 --max-time 5 https://localhost >/dev/null 2>&1; then \
|
||||
echo "✅ HTTPS Backend erreichbar (Standard-Port)"; \
|
||||
break; \
|
||||
fi; \
|
||||
echo "⏳ Warte auf Backend... ($i/120)"; \
|
||||
echo "⏳ Warte auf HTTPS Backend... ($i/120)"; \
|
||||
sleep 3; \
|
||||
done; \
|
||||
\
|
||||
@@ -162,9 +165,9 @@ ExecStart=/bin/bash -c '\
|
||||
--new-instance"; \
|
||||
fi; \
|
||||
\
|
||||
# URL mit intelligenter Ermittlung \
|
||||
# URL mit intelligenter Ermittlung (HTTPS-Only) \
|
||||
TARGET_URL=$(/opt/myp/scripts/get_kiosk_url.sh); \
|
||||
[ -z "$TARGET_URL" ] && TARGET_URL="http://localhost:5000"; \
|
||||
[ -z "$TARGET_URL" ] && TARGET_URL="https://localhost"; \
|
||||
\
|
||||
# Browser starten mit Fehlerbehandlung \
|
||||
echo "🖥️ Starte $BROWSER im Kiosk-Modus..."; \
|
||||
|
||||
69
backend/systemd/myp-production.service
Normal file
69
backend/systemd/myp-production.service
Normal file
@@ -0,0 +1,69 @@
|
||||
[Unit]
|
||||
Description=MYP Druckerverwaltung HTTPS Production Server (Port 443 Only)
|
||||
Documentation=https://github.com/MYP-Druckerverwaltung
|
||||
After=network.target network-online.target
|
||||
Wants=network-online.target
|
||||
Requires=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=root
|
||||
Group=root
|
||||
WorkingDirectory=/opt/myp
|
||||
|
||||
# Produktions-App mit HTTPS-Only auf Port 443
|
||||
ExecStart=/usr/bin/python3 /opt/myp/app_production.py
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
StartLimitBurst=5
|
||||
StartLimitInterval=300
|
||||
|
||||
# Umgebungsvariablen für Produktionsbetrieb
|
||||
Environment=PYTHONUNBUFFERED=1
|
||||
Environment=FLASK_ENV=production
|
||||
Environment=FLASK_HOST=0.0.0.0
|
||||
Environment=FLASK_PORT=443
|
||||
Environment=PYTHONPATH=/opt/myp
|
||||
Environment=LC_ALL=C.UTF-8
|
||||
Environment=LANG=C.UTF-8
|
||||
Environment=KIOSK_MODE=true
|
||||
Environment=USE_OPTIMIZED_CONFIG=true
|
||||
Environment=HTTPS_ONLY=true
|
||||
Environment=SSL_REQUIRED=true
|
||||
|
||||
# Logging-Konfiguration
|
||||
StandardOutput=journal
|
||||
StandardError=journal
|
||||
SyslogIdentifier=myp-production
|
||||
|
||||
# Sicherheitseinstellungen für Produktionsbetrieb
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
ReadWritePaths=/opt/myp
|
||||
ReadWritePaths=/var/log
|
||||
|
||||
# Netzwerk-Sicherheit
|
||||
PrivateNetwork=false
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
IPAddressDeny=any
|
||||
IPAddressAllow=localhost
|
||||
IPAddressAllow=127.0.0.0/8
|
||||
IPAddressAllow=10.0.0.0/8
|
||||
IPAddressAllow=192.168.0.0/16
|
||||
IPAddressAllow=172.16.0.0/12
|
||||
|
||||
# Ressourcen-Limits
|
||||
LimitNOFILE=65536
|
||||
LimitNPROC=4096
|
||||
MemoryHigh=512M
|
||||
MemoryMax=1G
|
||||
CPUQuota=80%
|
||||
|
||||
# Capabilities für Port 443 (privilegierter Port)
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user