summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2024-09-20 03:58:11 +0200
committerGuilhem Moulin <guilhem@fripost.org>2024-09-20 03:58:38 +0200
commitf2d133b81d98eb84acabef11b0bd919a98d5d13d (patch)
tree673bc6d8c13ee57a084f8addf4865c7305c0de5a
parent886afa0f9a261c239eaad0744878f63db7ee2d68 (diff)
webmap-download: Use a dedicated system group.
It will be shared between _webmap-* system users, which will be handy to share lock files.
-rw-r--r--files/etc/systemd/system/webmap-download@.service7
-rw-r--r--tasks/webmap.yml8
2 files changed, 10 insertions, 5 deletions
diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service
index a928a13..c0e826f 100644
--- a/files/etc/systemd/system/webmap-download@.service
+++ b/files/etc/systemd/system/webmap-download@.service
@@ -8,7 +8,7 @@ Upholds=webmap-update@%i.target
[Service]
User=_webmap-download
-Group=nogroup
+Group=_webmap
Nice=15
IOSchedulingClass=idle
@@ -21,6 +21,9 @@ ExecStart=/usr/local/bin/webmap-download \
--quiet \
-- %I
+RuntimeDirectory=webmap-download
+RuntimeDirectoryPreserve=yes
+
# Hardening
NoNewPrivileges=yes
ProtectHome=yes
@@ -31,8 +34,6 @@ ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
ReadWritePaths=/var/cache/webmap
-RuntimeDirectory=webmap-download
-RuntimeDirectoryPreserve=yes
[Install]
WantedBy=webmap-update@%i.target
diff --git a/tasks/webmap.yml b/tasks/webmap.yml
index 10a6555..ff212e5 100644
--- a/tasks/webmap.yml
+++ b/tasks/webmap.yml
@@ -64,9 +64,13 @@
- meta: flush_handlers
+- name: Create system group '_webmap'
+ group: name=_webmap system=true
+ state=present
+
- name: Create system user '_webmap-download'
user: name=_webmap-download system=true
- group=nogroup
+ group=_webmap
createhome=false
home=/nonexistent
shell=/usr/sbin/nologin
@@ -95,7 +99,7 @@
- name: Create directory /var/cache/webmap
file: path=/var/cache/webmap
state=directory
- owner=_webmap-download group=nogroup
+ owner=_webmap-download group=root
mode=0755
- name: Copy webmap-download@.service