finalize whawty/auth roles for now

author: Christian Pointner <equinox@spreadspace.org> 2024-01-28 02:11:05 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2024-01-28 02:11:05 +0100
commit: 24b4917d8186551bcf987b72d1c3588e4705096a (patch)
tree: 4cba19d0999095ac27edafc9f88513fdaa80ab16 /roles/whawty/auth/app
parent: move ch-auth-legacy to _graveyard_ (diff)
5 files changed, 106 insertions, 2 deletions
diff --git a/roles/whawty/auth/app/defaults/main.yml b/roles/whawty/auth/app/defaults/main.yml
index fa188349..d1423a61 100644
--- a/roles/whawty/auth/app/defaults/main.yml
+++ b/roles/whawty/auth/app/defaults/main.yml
@@ -1,2 +1,18 @@
 ---
-whawty_install_pam_module: no
+whawty_auth_app_install_pam_module: no
+
+## TODO: add support for web config (including TLS)
+
+# whawty_auth_app_instances:
+#   blub:
+#     store: foo
+#     listeners:
+#       saslauthd:
+#         sockets:
+#         - /var/run/whawty/auth.sock
+#         user: foo
+#         group: bar
+#         mode: 0600
+#       web:
+#         sockets:
+#         - 127.0.0.1:1234
diff --git a/roles/whawty/auth/app/tasks/listeners.yml b/roles/whawty/auth/app/tasks/listeners.yml
new file mode 100644
index 00000000..82944222
--- /dev/null
+++ b/roles/whawty/auth/app/tasks/listeners.yml
@@ -0,0 +1,18 @@
+---
+- name: generate systemd socket units
+  loop: "{{ whawty_auth_app.config.listeners | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  template:
+    src: systemd.socket.j2
+    dest: "/etc/systemd/system/whawty-auth-{{ whawty_auth_app.name }}_{{ item.key }}.socket"
+
+- name: make sure systemd socket units are enabled and started
+  loop: "{{ whawty_auth_app.config.listeners | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  systemd:
+    daemon_reload: yes
+    name: "whawty-auth-{{ whawty_auth_app.name }}_{{ item.key }}.socket"
+    state: started
+    enabled: yes
diff --git a/roles/whawty/auth/app/tasks/main.yml b/roles/whawty/auth/app/tasks/main.yml
index 00a02c7e..cc19fd2e 100644
--- a/roles/whawty/auth/app/tasks/main.yml
+++ b/roles/whawty/auth/app/tasks/main.yml
@@ -1,5 +1,21 @@
 ---
 - name: install whawty app
   apt:
-    name: "{{ ['whawty-auth'] | union(whawty_auth_install_pam_module | ternary(['libpam-whawty'], [])) }}"
+    name: "{{ ['whawty-auth'] | union(whawty_auth_app_install_pam_module | ternary(['libpam-whawty'], [])) }}"
     state: present
+
+- name: generate systemd service units
+  loop: "{{ whawty_auth_app_instances | dict2items(key_name='name', value_name='config') }}"
+  loop_control:
+    loop_var: whawty_auth_app
+    label: "{{ whawty_auth_app.name }}"
+  template:
+    src: systemd.service.j2
+    dest: "/etc/systemd/system/whawty-auth-{{ whawty_auth_app.name }}.service"
+
+- name: generate, start and enable systemd socket units
+  loop: "{{ whawty_auth_app_instances | dict2items(key_name='name', value_name='config') }}"
+  loop_control:
+    loop_var: whawty_auth_app
+    label: "{{ whawty_auth_app.name }}"
+  include_tasks: listeners.yml
diff --git a/roles/whawty/auth/app/templates/systemd.service.j2 b/roles/whawty/auth/app/templates/systemd.service.j2
new file mode 100644
index 00000000..875d692e
--- /dev/null
+++ b/roles/whawty/auth/app/templates/systemd.service.j2
@@ -0,0 +1,32 @@
+{% set whawty_auth_store = whawty_auth_store_instances[whawty_auth_app.config.store] %}
+[Unit]
+Description=whawty.auth authentication agent for {{ whawty_auth_app.name }}
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/whawty-auth --store "/etc/whawty/auth/store-{{ whawty_auth_app.config.store }}.yml" runsa
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+RestartSec=3
+
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+{% if 'sync' not in whawty_auth_store or whawty_auth_store.sync.type != 'client' %}
+ReadWritePaths={{ whawty_auth_store.config.basedir }}
+{% endif %}
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
diff --git a/roles/whawty/auth/app/templates/systemd.socket.j2 b/roles/whawty/auth/app/templates/systemd.socket.j2
new file mode 100644
index 00000000..f0432e3b
--- /dev/null
+++ b/roles/whawty/auth/app/templates/systemd.socket.j2
@@ -0,0 +1,22 @@
+[Unit]
+Description=whawty.auth authentication agent for {{ whawty_auth_app.name }}/{{ item.key }}
+
+[Socket]
+Service=whawty-auth-{{ whawty_auth_app.name }}.service
+FileDescriptorName={{ item.key }}
+{% for socket in item.value.sockets %}
+ListenStream={{ socket }}
+{% endfor %}
+RemoveOnStop=true
+{% if 'user' in item.value %}
+SocketUser={{ item.value.user }}
+{% endif %}
+{% if 'group' in item.value %}
+SocketGroup={{ item.value.group }}
+{% endif %}
+{% if 'mode' in item.value %}
+SocketMode={{ item.value.mode }}
+{% endif %}
+
+[Install]
+WantedBy=sockets.target
author	Christian Pointner <equinox@spreadspace.org>	2024-01-28 02:11:05 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2024-01-28 02:11:05 +0100
commit	24b4917d8186551bcf987b72d1c3588e4705096a (patch)
tree	4cba19d0999095ac27edafc9f88513fdaa80ab16 /roles/whawty/auth/app
parent	move ch-auth-legacy to _graveyard_ (diff)