From ead9aaa3dd7ca48012b2b21cc930ee73c8eaa9d3 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 3 Nov 2020 03:15:10 +0100
Subject: Bacula: refactor systemd service files.

Use unit overrides on top of upstream's service files instead of
overriding entire service files.  In particular, upstream uses flag `-P`
so we don't need to use RuntimeDirectory= anymore.
---
 .../etc/systemd/system/bacula-sd.service.d/override.conf    | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf

(limited to 'roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf')

diff --git a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf
new file mode 100644
index 0000000..e4ed970
--- /dev/null
+++ b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service.d/override.conf
@@ -0,0 +1,13 @@
+[Unit]
+# Hardening
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=strict
+ReadWriteDirectories=-/var/lib/bacula
+ReadWriteDirectories=/mnt/backup/bacula
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_INET AF_INET6
-- 
cgit v1.2.3