Bacula: refactor systemd service files.

Use unit overrides on top of upstream's service files instead of overriding entire service files. In particular, upstream uses flag `-P` so we don't need to use RuntimeDirectory= anymore.
author: Guilhem Moulin <guilhem@fripost.org> 2020-11-03 03:15:10 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2020-11-03 03:37:11 +0100
commit: ead9aaa3dd7ca48012b2b21cc930ee73c8eaa9d3 (patch)
tree: b656f589d1ff4d4b0d245afad3d8d22ce5e65368 /roles
parent: 24616de43c39da3fe7efd72426fce078a3afdaea (diff)
6 files changed, 30 insertions, 60 deletions
diff --git a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service.d/override.conf
index 8b2f5ff..f0d36c4 100644
--- a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service
+++ b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service.d/override.conf
@@ -1,14 +1,4 @@
-[Unit]
-Description=Bacula Director service
-After=network.target
-
 [Service]
-Type=simple
-StandardOutput=syslog
-User=bacula
-Group=bacula
-ExecStart=/usr/sbin/bacula-dir -f -c /etc/bacula/bacula-dir.conf
-
 # Hardening
 NoNewPrivileges=yes
 PrivateDevices=yes
@@ -16,12 +6,8 @@ ProtectHome=yes
 ProtectSystem=strict
 ReadWriteDirectories=-/var/lib/bacula
 ReadWriteDirectories=-/var/log/bacula
-RuntimeDirectory=bacula
 PrivateDevices=yes
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/bacula-dir/tasks/main.yml b/roles/bacula-dir/tasks/main.yml
index 2f7ab25..2fdb35b 100644
--- a/roles/bacula-dir/tasks/main.yml
+++ b/roles/bacula-dir/tasks/main.yml
@@ -12,7 +12,7 @@
   notify:
     - Restart bacula-director
 
-# Create with:
+# Populate with:
 #   echo bconsole $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir
 #   echo $sd-sd   $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir
 #   echo $fd-fd   $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir
@@ -41,9 +41,15 @@
   notify:
     - Restart bacula-director
 
-- name: Copy bacula-director.service
-  copy: src=etc/systemd/system/bacula-director.service
-        dest=/etc/systemd/system/bacula-director.service
+- name: Create /etc/systemd/system/bacula-director.service.d
+  file: path=/etc/systemd/system/bacula-director.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy bacula-director.service override
+  copy: src=etc/systemd/system/bacula-director.service.d/override.conf
+        dest=/etc/systemd/system/bacula-director.service.d/override.conf
         owner=root group=root
         mode=0644
   notify:
diff --git a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf
index 61ba01d..e4ed970 100644
--- a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service
+++ b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf
@@ -1,14 +1,4 @@
 [Unit]
-Description=Bacula Storage Daemon service
-After=network.target
-
-[Service]
-Type=simple
-StandardOutput=syslog
-User=bacula
-Group=tape
-ExecStart=/usr/sbin/bacula-sd -f -c /etc/bacula/bacula-sd.conf
-
 # Hardening
 NoNewPrivileges=yes
 PrivateDevices=yes
@@ -16,12 +6,8 @@ ProtectHome=yes
 ProtectSystem=strict
 ReadWriteDirectories=-/var/lib/bacula
 ReadWriteDirectories=/mnt/backup/bacula
-RuntimeDirectory=bacula
 PrivateDevices=yes
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_INET AF_INET6
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/bacula-sd/tasks/main.yml b/roles/bacula-sd/tasks/main.yml
index 93958a8..f30fe7f 100644
--- a/roles/bacula-sd/tasks/main.yml
+++ b/roles/bacula-sd/tasks/main.yml
@@ -1,7 +1,7 @@
 - name: Install bacula-sd
   apt: pkg=bacula-sd
 
-# Create with:
+# Populate with:
 #   echo $director-dir $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-sd
 - name: Ensure /etc/bacula/passwords-sd exists
   file: path=/etc/bacula/passwords-sd
@@ -17,9 +17,15 @@
   notify:
     - Restart bacula-sd
 
-- name: Copy bacula-sd.service
-  copy: src=etc/systemd/system/bacula-sd.service
-        dest=/etc/systemd/system/bacula-sd.service
+- name: Create /etc/systemd/system/bacula-sd.service.d
+  file: path=/etc/systemd/system/bacula-sd.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy bacula-sd.service override
+  copy: src=etc/systemd/system/bacula-sd.service.d/override.conf
+        dest=/etc/systemd/system/bacula-sd.service.d/override.conf
         owner=root group=root
         mode=0644
   notify:
diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf
index 119b3a2..537bf1e 100644
--- a/roles/common/files/etc/systemd/system/bacula-fd.service
+++ b/roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf
@@ -1,18 +1,9 @@
-[Unit]
-Description=Bacula File Daemon service
-After=network.target
-
 [Service]
-Type=simple
-StandardOutput=syslog
-ExecStart=/usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf
-
 # Hardening
 NoNewPrivileges=yes
 ProtectHome=read-only
 ProtectSystem=strict
 ReadWriteDirectories=/var/lib/bacula
-RuntimeDirectory=bacula
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectControlGroups=yes
@@ -20,6 +11,3 @@ ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 CapabilityBoundingSet=CAP_DAC_READ_SEARCH
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml
index fb37b5b..308e358 100644
--- a/roles/common/tasks/bacula.yml
+++ b/roles/common/tasks/bacula.yml
@@ -10,7 +10,7 @@
 - name: Delete /etc/bacula/common_default_passwords
   file: path=/etc/bacula/common_default_passwords state=absent
 
-# Create with:
+# Populate with:
 #   echo $director-dir $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-fd
 - name: Ensure /etc/bacula/passwords-fd exists
   file: path=/etc/bacula/passwords-fd
@@ -54,23 +54,21 @@
   tags:
     - genkey
 
-- name: Copy bacula-fd.service
-  copy: src=etc/systemd/system/bacula-fd.service
-        dest=/etc/systemd/system/bacula-fd.service
+- name: Create /etc/systemd/system/bacula-fd.service.d
+  file: path=/etc/systemd/system/bacula-fd.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy bacula-fd.service override
+  copy: src=etc/systemd/system/bacula-fd.service.d/override.conf
+        dest=/etc/systemd/system/bacula-fd.service.d/override.conf
         owner=root group=root
         mode=0644
   notify:
     - systemctl daemon-reload
     - Restart bacula-fd
 
-# We use RuntimeDirectory in our service unit to avoid permission issues
-# caused by the restrictive Capability Bounding Set
-- name: Mask /usr/lib/tmpfiles.d/bacula.conf
-  file: src=/dev/null
-        dest=/etc/tmpfiles.d/bacula.conf
-        owner=root group=root
-        state=link
-
 - meta: flush_handlers
 
 - name: Enable bacula-fd
author	Guilhem Moulin <guilhem@fripost.org>	2020-11-03 03:15:10 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2020-11-03 03:37:11 +0100
commit	ead9aaa3dd7ca48012b2b21cc930ee73c8eaa9d3 (patch)
tree	b656f589d1ff4d4b0d245afad3d8d22ce5e65368 /roles
parent	24616de43c39da3fe7efd72426fce078a3afdaea (diff)