cr625
commented
2 years ago Note (mostly to self): if we are going to continue to use nginx as a proxy, it has to run as a user/group and by default it's www-data. If there is a separate yamz user that runs the yamz uwsgi service nginx can't access the socket it creates. There are many ways to deal with this. One way is the emperor orchestration service designed for this purpose. The other is mounting /run/ as a tmpfs to put sockets and pidfiles into if we still use system.d. The www-group still needs r/w access. The flask app should run in an instance direcectory as well but that's a flask configuration option. Don't want to over-complicate this but for my future self: uwsgi-docs.readthedocs.io
As discussed, a better approach might be to create a
yamzuser on the serve with tight privileges to allow it to me located outside of any one user's home directory and also to prevent any security issues from having drastic effects. From this, we might symlink from /var/www/ or specify the location in the nginx config file.