From 24b4917d8186551bcf987b72d1c3588e4705096a Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 28 Jan 2024 02:11:05 +0100 Subject: finalize whawty/auth roles for now --- roles/whawty/auth/app/templates/systemd.service.j2 | 32 ++++++++++++++++++++++ roles/whawty/auth/app/templates/systemd.socket.j2 | 22 +++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 roles/whawty/auth/app/templates/systemd.service.j2 create mode 100644 roles/whawty/auth/app/templates/systemd.socket.j2 (limited to 'roles/whawty/auth/app/templates') diff --git a/roles/whawty/auth/app/templates/systemd.service.j2 b/roles/whawty/auth/app/templates/systemd.service.j2 new file mode 100644 index 00000000..875d692e --- /dev/null +++ b/roles/whawty/auth/app/templates/systemd.service.j2 @@ -0,0 +1,32 @@ +{% set whawty_auth_store = whawty_auth_store_instances[whawty_auth_app.config.store] %} +[Unit] +Description=whawty.auth authentication agent for {{ whawty_auth_app.name }} + +[Service] +Type=simple +ExecStart=/usr/bin/whawty-auth --store "/etc/whawty/auth/store-{{ whawty_auth_app.config.store }}.yml" runsa +ExecReload=/bin/kill -HUP $MAINPID +Restart=always +RestartSec=3 + +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +{% if 'sync' not in whawty_auth_store or whawty_auth_store.sync.type != 'client' %} +ReadWritePaths={{ whawty_auth_store.config.basedir }} +{% endif %} +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native diff --git a/roles/whawty/auth/app/templates/systemd.socket.j2 b/roles/whawty/auth/app/templates/systemd.socket.j2 new file mode 100644 index 00000000..f0432e3b --- /dev/null +++ b/roles/whawty/auth/app/templates/systemd.socket.j2 @@ -0,0 +1,22 @@ +[Unit] +Description=whawty.auth authentication agent for {{ whawty_auth_app.name }}/{{ item.key }} + +[Socket] +Service=whawty-auth-{{ whawty_auth_app.name }}.service +FileDescriptorName={{ item.key }} +{% for socket in item.value.sockets %} +ListenStream={{ socket }} +{% endfor %} +RemoveOnStop=true +{% if 'user' in item.value %} +SocketUser={{ item.value.user }} +{% endif %} +{% if 'group' in item.value %} +SocketGroup={{ item.value.group }} +{% endif %} +{% if 'mode' in item.value %} +SocketMode={{ item.value.mode }} +{% endif %} + +[Install] +WantedBy=sockets.target -- cgit v1.2.3