fix service readwrite path

add systemd service file
Merge branch 'gunicorn-migration'
2026-04-05 17:21:41 -04:00 · 2026-04-05 17:04:14 -04:00 · 2026-04-04 16:33:46 -04:00 · 2026-04-04 16:13:00 -04:00 · 2026-04-04 15:58:13 -04:00 · 2026-04-03 15:08:08 -04:00
4 changed files with 66 additions and 8 deletions
@@ -0,0 +1,47 @@
+[Unit]
+Description=Navidrome Music Uploader Service
+After=network.target,navidrome.service
+
+[Service]
+Type=simple
+User=navidrome-uploader
+Group=navidrome-uploader
+WorkingDirectory=/opt/navidrome-uploader
+Environment="PATH=/opt/navidrome-uploader/venv/bin"
+EnvironmentFile=/etc/default/navidrome-uploader/.env
+ExecStart=/opt/navidrome-uploader/venv/bin/gunicorn -c gunicorn.conf.py main:app
+Restart=on-failure
+RestartSec=30
+
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+ReadWritePaths=/opt/navidrome-uploader
+InaccessiblePaths=/boot /mnt /media
+
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+ProtectClock=yes
+ProtectHostname=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+PrivateNetwork=no
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+UMask=0027
+
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,16 @@
+# gunicorn.conf.py
+# Arian Nasr
+# April 4, 2026
+
+import os
+
+
+BIND_ADDRESS = os.environ.get('BIND_ADDRESS', '0.0.0.0')
+BIND_PORT = int(os.environ.get('BIND_PORT', 5001))
+
+bind = f"{BIND_ADDRESS}:{BIND_PORT}"
+workers = 2
+accesslog = "-" # Log to stdout
+errorlog = "-"  # Log to stderr
+
+# gunicorn -c gunicorn.conf.py main:app
@@ -7,8 +7,6 @@ from flask import Flask, request, render_template
 from werkzeug.utils import secure_filename

 UPLOAD_FOLDER = os.environ.get('NAVIDROME_MUSIC_FOLDER', '/opt/navidrome/music')
-BIND_ADDRESS = os.environ.get('BIND_ADDRESS', '0.0.0.0')
-BIND_PORT = int(os.environ.get('BIND_PORT', 5001))
 ALLOWED_EXTENSIONS = {'flac', 'mp3', 'wav'}

 app = Flask(__name__)
@@ -35,7 +33,3 @@ def upload_file():
        return render_template('success.html', success_message=f'{len(request.files)} file(s) uploaded successfully!'), 200

    return render_template('index.html'), 200
-
-
-if __name__ == '__main__':
-    app.run(host=BIND_ADDRESS, port=BIND_PORT, debug=False)
@@ -1,7 +1,8 @@
 blinker==1.9.0
-click==8.3.1
+click==8.3.2
 Flask==3.1.3
 itsdangerous==2.2.0
 Jinja2==3.1.6
 MarkupSafe==3.0.3
-Werkzeug==3.1.7
+Werkzeug==3.1.8
+gunicorn==25.3.0
Author	SHA1	Message	Date
arian	5e553f9363	fix service readwrite path	2026-04-05 17:21:41 -04:00
arian	f9ca5f299f	add systemd service file	2026-04-05 17:04:14 -04:00
arian	4b9728e814	Merge branch 'gunicorn-migration'	2026-04-04 16:33:46 -04:00
arian	a6a84d662b	deploy with gunicorn	2026-04-04 16:13:00 -04:00
arian	05d40b4bd8	bump click==8.3.2	2026-04-04 15:58:13 -04:00
arian	0f7fd55c7f	bump Werkzeug==3.1.8	2026-04-03 15:08:08 -04:00
arian	beb96580d4	Merge branch 'pr-ext-conf'	2026-03-28 10:18:56 -04:00