From: Colin Watson Date: Mon, 20 Nov 2017 14:22:49 +0000 (+0000) Subject: new-address-book: Reflect switch from UWSGI to gunicorn X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~cjwatson/git?a=commitdiff_plain;h=1a312a911f57dba3ec3a410c6a583d9e63e6718a;p=blog.git new-address-book: Reflect switch from UWSGI to gunicorn --- diff --git a/content/new-address-book.md b/content/new-address-book.md index 0df61231..38c25178 100644 --- a/content/new-address-book.md +++ b/content/new-address-book.md @@ -60,35 +60,54 @@ It isn't packaged in stretch, but it's in Debian unstable, so I installed it from there. Rather than the standalone mode suggested on the web page, I decided to set -it up in what felt like a more robust way using WSGI. I installed `uwsgi`, -`uwsgi-plugin-python3`, and `libapache2-mod-proxy-uwsgi`, and created the -following file in `/etc/uwsgi/apps-available/xandikos.ini` which I then -symlinked into `/etc/uwsgi/apps-enabled/xandikos.ini`: +it up in what felt like a more robust way using WSGI. I installed +`gunicorn` and `python3-gunicorn`, created the following file in +`/etc/systemd/system/xandikos.socket`: :::ini - [uwsgi] - socket = 127.0.0.1:8801 - uid = xandikos - gid = xandikos - umask = 022 - master = true - cheaper = 2 - processes = 4 - plugin = python3 - module = xandikos.wsgi:app - env = XANDIKOSPATH=/srv/xandikos/collections - -The port number was arbitrary, as was the path. You need to create the -`xandikos` user and group first (`adduser --system --group --no-create-home ---disabled-login xandikos`). I created `/srv/xandikos` owned by -`xandikos:xandikos` and mode 0700, and I recommend [setting a -umask](https://bugs.debian.org/866058) as shown above since uwsgi's default -umask is 000 (!). You should also run `sudo -u xandikos xandikos -d -/srv/xandikos/collections --autocreate` and then Ctrl-c it after a short -time (I think it would be nicer if there were a way to [ask the WSGI wrapper -to do this](https://bugs.debian.org/866093)). - -For Apache setup, I kept it reasonably simple: I ran `a2enmod proxy_uwsgi`, + [Unit] + Description=Xandikos socket + + [Socket] + ListenStream=/run/xandikos.socket + + [Install] + WantedBy=sockets.target + +... and the following file in `/etc/systemd/system/xandikos.service`: + + :::ini + [Unit] + Description=Xandikos CalDAV/CardDAV server + Documentation=man:xandikos(1) + Requires=xandikos.socket + + [Service] + User=xandikos + Group=xandikos + Restart=on-failure + ExecStart=/usr/bin/python3 /usr/bin/gunicorn --bind=unix:/run/xandikos.socket xandikos.wsgi:app + ExecReload=/bin/kill -s HUP $MAINPID + ExecStop=/bin/kill -s TERM $MAINPID + Environment=XANDIKOSPATH=/srv/xandikos/collections + ProtectSystem=strict + ProtectKernelTunables=yes + ProtectControlGroups=yes + PrivateDevices=yes + PrivateTmp=yes + ReadWritePaths=/run/xandikos.socket /srv/xandikos + +The path (`/srv/xandikos/collections`) was arbitrary. You need to create +the `xandikos` user and group first (`adduser --system --group +--no-create-home --disabled-login xandikos`). I created `/srv/xandikos` +owned by `xandikos:xandikos` and mode 0700. You should also run `sudo -u +xandikos xandikos -d /srv/xandikos/collections --autocreate` and then Ctrl-c +it after a short time (I think it would be nicer if there were a way to [ask +the WSGI wrapper to do this](https://bugs.debian.org/866093)). If you +aren't using systemd then you can of course write equivalent init scripts +instead. + +For Apache setup, I kept it reasonably simple: I ran `a2enmod proxy_http`, used `htpasswd` to create `/etc/apache2/xandikos.passwd` with a username and password for myself, added a virtual host in `/etc/apache2/sites-available/xandikos.conf`, and enabled it with `a2ensite @@ -103,7 +122,7 @@ xandikos`: TransferLog /var/log/apache2/xandikos-access.log - ProxyPass "uwsgi://127.0.0.1:8801/" + ProxyPass "unix:/run/xandikos.socket|http://xandikos.riva.dynamic.greenend.org.uk/" AuthType Basic AuthName "Xandikos" AuthBasicProvider file @@ -112,6 +131,9 @@ xandikos`: +You should of course adjust the `ProxyPass` line to match your own +deployment. + Then `service apache2 reload`, set the new virtual host up with [Let's Encrypt](https://letsencrypt.org/), reloaded again, and off we go.