Bacula: refactor systemd service files.

Use unit overrides on top of upstream's service files instead of overriding entire service files. In particular, upstream uses flag `-P` so we don't need to use RuntimeDirectory= anymore.
author: Guilhem Moulin <guilhem@fripost.org> 2020-11-03 03:15:10 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2020-11-03 03:37:11 +0100
commit: ead9aaa3dd7ca48012b2b21cc930ee73c8eaa9d3 (patch)
tree: b656f589d1ff4d4b0d245afad3d8d22ce5e65368 /roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf
parent: 24616de43c39da3fe7efd72426fce078a3afdaea (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf
new file mode 100644
index 0000000..e4ed970
--- /dev/null
+++ b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf
@@ -0,0 +1,13 @@
+[Unit]
+# Hardening
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=strict
+ReadWriteDirectories=-/var/lib/bacula
+ReadWriteDirectories=/mnt/backup/bacula
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_INET AF_INET6
author	Guilhem Moulin <guilhem@fripost.org>	2020-11-03 03:15:10 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2020-11-03 03:37:11 +0100
commit	ead9aaa3dd7ca48012b2b21cc930ee73c8eaa9d3 (patch)
tree	b656f589d1ff4d4b0d245afad3d8d22ce5e65368 /roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf
parent	24616de43c39da3fe7efd72426fce078a3afdaea (diff)