diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2024-01-28 02:11:05 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2024-01-28 02:11:05 +0100 |
| commit | 24b4917d8186551bcf987b72d1c3588e4705096a (patch) | |
| tree | 4cba19d0999095ac27edafc9f88513fdaa80ab16 /roles/whawty/auth/app/templates | |
| parent | move ch-auth-legacy to _graveyard_ (diff) | |
finalize whawty/auth roles for now
Diffstat (limited to 'roles/whawty/auth/app/templates')
| -rw-r--r-- | roles/whawty/auth/app/templates/systemd.service.j2 | 32 | ||||
| -rw-r--r-- | roles/whawty/auth/app/templates/systemd.socket.j2 | 22 |
2 files changed, 54 insertions, 0 deletions
diff --git a/roles/whawty/auth/app/templates/systemd.service.j2 b/roles/whawty/auth/app/templates/systemd.service.j2 new file mode 100644 index 00000000..875d692e --- /dev/null +++ b/roles/whawty/auth/app/templates/systemd.service.j2 @@ -0,0 +1,32 @@ +{% set whawty_auth_store = whawty_auth_store_instances[whawty_auth_app.config.store] %} +[Unit] +Description=whawty.auth authentication agent for {{ whawty_auth_app.name }} + +[Service] +Type=simple +ExecStart=/usr/bin/whawty-auth --store "/etc/whawty/auth/store-{{ whawty_auth_app.config.store }}.yml" runsa +ExecReload=/bin/kill -HUP $MAINPID +Restart=always +RestartSec=3 + +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +{% if 'sync' not in whawty_auth_store or whawty_auth_store.sync.type != 'client' %} +ReadWritePaths={{ whawty_auth_store.config.basedir }} +{% endif %} +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native diff --git a/roles/whawty/auth/app/templates/systemd.socket.j2 b/roles/whawty/auth/app/templates/systemd.socket.j2 new file mode 100644 index 00000000..f0432e3b --- /dev/null +++ b/roles/whawty/auth/app/templates/systemd.socket.j2 @@ -0,0 +1,22 @@ +[Unit] +Description=whawty.auth authentication agent for {{ whawty_auth_app.name }}/{{ item.key }} + +[Socket] +Service=whawty-auth-{{ whawty_auth_app.name }}.service +FileDescriptorName={{ item.key }} +{% for socket in item.value.sockets %} +ListenStream={{ socket }} +{% endfor %} +RemoveOnStop=true +{% if 'user' in item.value %} +SocketUser={{ item.value.user }} +{% endif %} +{% if 'group' in item.value %} +SocketGroup={{ item.value.group }} +{% endif %} +{% if 'mode' in item.value %} +SocketMode={{ item.value.mode }} +{% endif %} + +[Install] +WantedBy=sockets.target |