From 24b4917d8186551bcf987b72d1c3588e4705096a Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 28 Jan 2024 02:11:05 +0100
Subject: finalize whawty/auth roles for now

---
 roles/whawty/auth/app/templates/systemd.service.j2 | 32 ++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 roles/whawty/auth/app/templates/systemd.service.j2

(limited to 'roles/whawty/auth/app/templates/systemd.service.j2')

diff --git a/roles/whawty/auth/app/templates/systemd.service.j2 b/roles/whawty/auth/app/templates/systemd.service.j2
new file mode 100644
index 00000000..875d692e
--- /dev/null
+++ b/roles/whawty/auth/app/templates/systemd.service.j2
@@ -0,0 +1,32 @@
+{% set whawty_auth_store = whawty_auth_store_instances[whawty_auth_app.config.store] %}
+[Unit]
+Description=whawty.auth authentication agent for {{ whawty_auth_app.name }}
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/whawty-auth --store "/etc/whawty/auth/store-{{ whawty_auth_app.config.store }}.yml" runsa
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+RestartSec=3
+
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+{% if 'sync' not in whawty_auth_store or whawty_auth_store.sync.type != 'client' %}
+ReadWritePaths={{ whawty_auth_store.config.basedir }}
+{% endif %}
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
-- 
cgit v1.2.3