From ead9aaa3dd7ca48012b2b21cc930ee73c8eaa9d3 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 3 Nov 2020 03:15:10 +0100
Subject: Bacula: refactor systemd service files.

Use unit overrides on top of upstream's service files instead of
overriding entire service files.  In particular, upstream uses flag `-P`
so we don't need to use RuntimeDirectory= anymore.
---
 .../etc/systemd/system/bacula-director.service     | 27 ----------------------
 .../system/bacula-director.service.d/override.conf | 13 +++++++++++
 roles/bacula-dir/tasks/main.yml                    | 14 +++++++----
 .../files/etc/systemd/system/bacula-sd.service     | 27 ----------------------
 .../system/bacula-sd.service.d/override.conf       | 13 +++++++++++
 roles/bacula-sd/tasks/main.yml                     | 14 +++++++----
 .../files/etc/systemd/system/bacula-fd.service     | 25 --------------------
 .../system/bacula-fd.service.d/override.conf       | 13 +++++++++++
 roles/common/tasks/bacula.yml                      | 22 ++++++++----------
 9 files changed, 69 insertions(+), 99 deletions(-)
 delete mode 100644 roles/bacula-dir/files/etc/systemd/system/bacula-director.service
 create mode 100644 roles/bacula-dir/files/etc/systemd/system/bacula-director.service.d/override.conf
 delete mode 100644 roles/bacula-sd/files/etc/systemd/system/bacula-sd.service
 create mode 100644 roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf
 delete mode 100644 roles/common/files/etc/systemd/system/bacula-fd.service
 create mode 100644 roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf

diff --git a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service
deleted file mode 100644
index 8b2f5ff..0000000
--- a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service
+++ /dev/null
@@ -1,27 +0,0 @@
-[Unit]
-Description=Bacula Director service
-After=network.target
-
-[Service]
-Type=simple
-StandardOutput=syslog
-User=bacula
-Group=bacula
-ExecStart=/usr/sbin/bacula-dir -f -c /etc/bacula/bacula-dir.conf
-
-# Hardening
-NoNewPrivileges=yes
-PrivateDevices=yes
-ProtectHome=yes
-ProtectSystem=strict
-ReadWriteDirectories=-/var/lib/bacula
-ReadWriteDirectories=-/var/log/bacula
-RuntimeDirectory=bacula
-PrivateDevices=yes
-ProtectControlGroups=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service.d/override.conf b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service.d/override.conf
new file mode 100644
index 0000000..f0d36c4
--- /dev/null
+++ b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service.d/override.conf
@@ -0,0 +1,13 @@
+[Service]
+# Hardening
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=strict
+ReadWriteDirectories=-/var/lib/bacula
+ReadWriteDirectories=-/var/log/bacula
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
diff --git a/roles/bacula-dir/tasks/main.yml b/roles/bacula-dir/tasks/main.yml
index 2f7ab25..2fdb35b 100644
--- a/roles/bacula-dir/tasks/main.yml
+++ b/roles/bacula-dir/tasks/main.yml
@@ -12,7 +12,7 @@
   notify:
     - Restart bacula-director
 
-# Create with:
+# Populate with:
 #   echo bconsole $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir
 #   echo $sd-sd   $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir
 #   echo $fd-fd   $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-dir
@@ -41,9 +41,15 @@
   notify:
     - Restart bacula-director
 
-- name: Copy bacula-director.service
-  copy: src=etc/systemd/system/bacula-director.service
-        dest=/etc/systemd/system/bacula-director.service
+- name: Create /etc/systemd/system/bacula-director.service.d
+  file: path=/etc/systemd/system/bacula-director.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy bacula-director.service override
+  copy: src=etc/systemd/system/bacula-director.service.d/override.conf
+        dest=/etc/systemd/system/bacula-director.service.d/override.conf
         owner=root group=root
         mode=0644
   notify:
diff --git a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service
deleted file mode 100644
index 61ba01d..0000000
--- a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service
+++ /dev/null
@@ -1,27 +0,0 @@
-[Unit]
-Description=Bacula Storage Daemon service
-After=network.target
-
-[Service]
-Type=simple
-StandardOutput=syslog
-User=bacula
-Group=tape
-ExecStart=/usr/sbin/bacula-sd -f -c /etc/bacula/bacula-sd.conf
-
-# Hardening
-NoNewPrivileges=yes
-PrivateDevices=yes
-ProtectHome=yes
-ProtectSystem=strict
-ReadWriteDirectories=-/var/lib/bacula
-ReadWriteDirectories=/mnt/backup/bacula
-RuntimeDirectory=bacula
-PrivateDevices=yes
-ProtectControlGroups=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-RestrictAddressFamilies=AF_INET AF_INET6
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf
new file mode 100644
index 0000000..e4ed970
--- /dev/null
+++ b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf
@@ -0,0 +1,13 @@
+[Unit]
+# Hardening
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=strict
+ReadWriteDirectories=-/var/lib/bacula
+ReadWriteDirectories=/mnt/backup/bacula
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_INET AF_INET6
diff --git a/roles/bacula-sd/tasks/main.yml b/roles/bacula-sd/tasks/main.yml
index 93958a8..f30fe7f 100644
--- a/roles/bacula-sd/tasks/main.yml
+++ b/roles/bacula-sd/tasks/main.yml
@@ -1,7 +1,7 @@
 - name: Install bacula-sd
   apt: pkg=bacula-sd
 
-# Create with:
+# Populate with:
 #   echo $director-dir $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-sd
 - name: Ensure /etc/bacula/passwords-sd exists
   file: path=/etc/bacula/passwords-sd
@@ -17,9 +17,15 @@
   notify:
     - Restart bacula-sd
 
-- name: Copy bacula-sd.service
-  copy: src=etc/systemd/system/bacula-sd.service
-        dest=/etc/systemd/system/bacula-sd.service
+- name: Create /etc/systemd/system/bacula-sd.service.d
+  file: path=/etc/systemd/system/bacula-sd.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy bacula-sd.service override
+  copy: src=etc/systemd/system/bacula-sd.service.d/override.conf
+        dest=/etc/systemd/system/bacula-sd.service.d/override.conf
         owner=root group=root
         mode=0644
   notify:
diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service
deleted file mode 100644
index 119b3a2..0000000
--- a/roles/common/files/etc/systemd/system/bacula-fd.service
+++ /dev/null
@@ -1,25 +0,0 @@
-[Unit]
-Description=Bacula File Daemon service
-After=network.target
-
-[Service]
-Type=simple
-StandardOutput=syslog
-ExecStart=/usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf
-
-# Hardening
-NoNewPrivileges=yes
-ProtectHome=read-only
-ProtectSystem=strict
-ReadWriteDirectories=/var/lib/bacula
-RuntimeDirectory=bacula
-PrivateTmp=yes
-PrivateDevices=yes
-ProtectControlGroups=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-CapabilityBoundingSet=CAP_DAC_READ_SEARCH
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf b/roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf
new file mode 100644
index 0000000..537bf1e
--- /dev/null
+++ b/roles/common/files/etc/systemd/system/bacula-fd.service.d/override.conf
@@ -0,0 +1,13 @@
+[Service]
+# Hardening
+NoNewPrivileges=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWriteDirectories=/var/lib/bacula
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml
index fb37b5b..308e358 100644
--- a/roles/common/tasks/bacula.yml
+++ b/roles/common/tasks/bacula.yml
@@ -10,7 +10,7 @@
 - name: Delete /etc/bacula/common_default_passwords
   file: path=/etc/bacula/common_default_passwords state=absent
 
-# Create with:
+# Populate with:
 #   echo $director-dir $(pwgen -sn 64 1) | sudo tee -a /etc/bacula/passwords-fd
 - name: Ensure /etc/bacula/passwords-fd exists
   file: path=/etc/bacula/passwords-fd
@@ -54,23 +54,21 @@
   tags:
     - genkey
 
-- name: Copy bacula-fd.service
-  copy: src=etc/systemd/system/bacula-fd.service
-        dest=/etc/systemd/system/bacula-fd.service
+- name: Create /etc/systemd/system/bacula-fd.service.d
+  file: path=/etc/systemd/system/bacula-fd.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy bacula-fd.service override
+  copy: src=etc/systemd/system/bacula-fd.service.d/override.conf
+        dest=/etc/systemd/system/bacula-fd.service.d/override.conf
         owner=root group=root
         mode=0644
   notify:
     - systemctl daemon-reload
     - Restart bacula-fd
 
-# We use RuntimeDirectory in our service unit to avoid permission issues
-# caused by the restrictive Capability Bounding Set
-- name: Mask /usr/lib/tmpfiles.d/bacula.conf
-  file: src=/dev/null
-        dest=/etc/tmpfiles.d/bacula.conf
-        owner=root group=root
-        state=link
-
 - meta: flush_handlers
 
 - name: Enable bacula-fd
-- 
cgit v1.2.3