diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2024-09-20 03:58:11 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2024-09-20 03:58:38 +0200 |
commit | f2d133b81d98eb84acabef11b0bd919a98d5d13d (patch) | |
tree | 673bc6d8c13ee57a084f8addf4865c7305c0de5a | |
parent | 886afa0f9a261c239eaad0744878f63db7ee2d68 (diff) |
webmap-download: Use a dedicated system group.
It will be shared between _webmap-* system users, which will be handy
to share lock files.
-rw-r--r-- | files/etc/systemd/system/webmap-download@.service | 7 | ||||
-rw-r--r-- | tasks/webmap.yml | 8 |
2 files changed, 10 insertions, 5 deletions
diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service index a928a13..c0e826f 100644 --- a/files/etc/systemd/system/webmap-download@.service +++ b/files/etc/systemd/system/webmap-download@.service @@ -8,7 +8,7 @@ Upholds=webmap-update@%i.target [Service] User=_webmap-download -Group=nogroup +Group=_webmap Nice=15 IOSchedulingClass=idle @@ -21,6 +21,9 @@ ExecStart=/usr/local/bin/webmap-download \ --quiet \ -- %I +RuntimeDirectory=webmap-download +RuntimeDirectoryPreserve=yes + # Hardening NoNewPrivileges=yes ProtectHome=yes @@ -31,8 +34,6 @@ ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 ReadWritePaths=/var/cache/webmap -RuntimeDirectory=webmap-download -RuntimeDirectoryPreserve=yes [Install] WantedBy=webmap-update@%i.target diff --git a/tasks/webmap.yml b/tasks/webmap.yml index 10a6555..ff212e5 100644 --- a/tasks/webmap.yml +++ b/tasks/webmap.yml @@ -64,9 +64,13 @@ - meta: flush_handlers +- name: Create system group '_webmap' + group: name=_webmap system=true + state=present + - name: Create system user '_webmap-download' user: name=_webmap-download system=true - group=nogroup + group=_webmap createhome=false home=/nonexistent shell=/usr/sbin/nologin @@ -95,7 +99,7 @@ - name: Create directory /var/cache/webmap file: path=/var/cache/webmap state=directory - owner=_webmap-download group=nogroup + owner=_webmap-download group=root mode=0755 - name: Copy webmap-download@.service |