diff options
Diffstat (limited to 'roles/whawty/auth/store/templates')
-rw-r--r-- | roles/whawty/auth/store/templates/systemd.service.j2 | 41 | ||||
-rw-r--r-- | roles/whawty/auth/store/templates/systemd.timer.j2 | 11 |
2 files changed, 52 insertions, 0 deletions
diff --git a/roles/whawty/auth/store/templates/systemd.service.j2 b/roles/whawty/auth/store/templates/systemd.service.j2 new file mode 100644 index 00000000..1081df60 --- /dev/null +++ b/roles/whawty/auth/store/templates/systemd.service.j2 @@ -0,0 +1,41 @@ +{% set rsync_args = [] %} +{% if 'permissions' in whawty_auth_store %} +{% if 'file-mode' in whawty_auth_store.permissions %} +{% set _dummy = rsync_args.append(" --chmod=F"~whawty_auth_store.permissions['file-mode']) %} +{% endif %} +{% if 'owner' in whawty_auth_store.permissions %} +{% set _dummy = rsync_args.append(" --chown="~whawty_auth_store.permissions.owner~":"~whawty_auth_store.permissions.group) %} +{% endif %} +{% endif %} +[Unit] +Description=sync for whawty-auth store {{ whawty_auth_store.name }} + +[Service] +Type=oneshot +ExecStart=/usr/bin/rsync -rtpW --delete --delete-delay --delay-updates --partial-dir=.tmp{{ rsync_args | join('') }} -e 'ssh -F "/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/ssh_config"' 'rsync://whawty-auth-server/store' '{{ whawty_auth_store.config.basedir }}' +TimeoutStartSec=40s + +# systemd hardening-options +AmbientCapabilities=CAP_CHOWN CAP_FOWNER +CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadWritePaths={{ whawty_auth_store.config.basedir }} +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/roles/whawty/auth/store/templates/systemd.timer.j2 b/roles/whawty/auth/store/templates/systemd.timer.j2 new file mode 100644 index 00000000..603295a5 --- /dev/null +++ b/roles/whawty/auth/store/templates/systemd.timer.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=sync for whawty-auth store {{ whawty_auth_store.name }} + +[Timer] +OnBootSec=30s +OnActiveSec=5s +OnUnitActiveSec=1m +AccuracySec=5s + +[Install] +WantedBy=timers.target |