diff options
author | Christian Pointner <equinox@spreadspace.org> | 2024-01-28 02:11:05 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2024-01-28 02:11:05 +0100 |
commit | 24b4917d8186551bcf987b72d1c3588e4705096a (patch) | |
tree | 4cba19d0999095ac27edafc9f88513fdaa80ab16 /roles/whawty/auth/app/templates/systemd.service.j2 | |
parent | move ch-auth-legacy to _graveyard_ (diff) |
finalize whawty/auth roles for now
Diffstat (limited to 'roles/whawty/auth/app/templates/systemd.service.j2')
-rw-r--r-- | roles/whawty/auth/app/templates/systemd.service.j2 | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/roles/whawty/auth/app/templates/systemd.service.j2 b/roles/whawty/auth/app/templates/systemd.service.j2 new file mode 100644 index 00000000..875d692e --- /dev/null +++ b/roles/whawty/auth/app/templates/systemd.service.j2 @@ -0,0 +1,32 @@ +{% set whawty_auth_store = whawty_auth_store_instances[whawty_auth_app.config.store] %} +[Unit] +Description=whawty.auth authentication agent for {{ whawty_auth_app.name }} + +[Service] +Type=simple +ExecStart=/usr/bin/whawty-auth --store "/etc/whawty/auth/store-{{ whawty_auth_app.config.store }}.yml" runsa +ExecReload=/bin/kill -HUP $MAINPID +Restart=always +RestartSec=3 + +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +{% if 'sync' not in whawty_auth_store or whawty_auth_store.sync.type != 'client' %} +ReadWritePaths={{ whawty_auth_store.config.basedir }} +{% endif %} +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native |