diff options
author | Christian Pointner <equinox@spreadspace.org> | 2024-01-24 00:34:32 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2024-01-24 00:34:32 +0100 |
commit | 13804dc388ccd7e8b8344de5fbbcf52395565297 (patch) | |
tree | 3af4b74125fb01c3c125b2bf4d3c4223bac27664 /roles/whawty/auth/store/templates/systemd.service.j2 | |
parent | sshd: disable umac-64 based macs from serer mac list (diff) |
whawty/auth/store role mostly done
Diffstat (limited to 'roles/whawty/auth/store/templates/systemd.service.j2')
-rw-r--r-- | roles/whawty/auth/store/templates/systemd.service.j2 | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/roles/whawty/auth/store/templates/systemd.service.j2 b/roles/whawty/auth/store/templates/systemd.service.j2 new file mode 100644 index 00000000..1081df60 --- /dev/null +++ b/roles/whawty/auth/store/templates/systemd.service.j2 @@ -0,0 +1,41 @@ +{% set rsync_args = [] %} +{% if 'permissions' in whawty_auth_store %} +{% if 'file-mode' in whawty_auth_store.permissions %} +{% set _dummy = rsync_args.append(" --chmod=F"~whawty_auth_store.permissions['file-mode']) %} +{% endif %} +{% if 'owner' in whawty_auth_store.permissions %} +{% set _dummy = rsync_args.append(" --chown="~whawty_auth_store.permissions.owner~":"~whawty_auth_store.permissions.group) %} +{% endif %} +{% endif %} +[Unit] +Description=sync for whawty-auth store {{ whawty_auth_store.name }} + +[Service] +Type=oneshot +ExecStart=/usr/bin/rsync -rtpW --delete --delete-delay --delay-updates --partial-dir=.tmp{{ rsync_args | join('') }} -e 'ssh -F "/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/ssh_config"' 'rsync://whawty-auth-server/store' '{{ whawty_auth_store.config.basedir }}' +TimeoutStartSec=40s + +# systemd hardening-options +AmbientCapabilities=CAP_CHOWN CAP_FOWNER +CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadWritePaths={{ whawty_auth_store.config.basedir }} +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target |