From e136d3edbdb6749d4559939dc9fcbc11d166e34c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 31 May 2017 17:39:57 +0200 Subject: =?UTF-8?q?/lib/systemd/system=20=E2=86=92=20/etc/systemd/system?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../etc/systemd/system/bacula-director.service | 24 +++++++++++++++++++++ .../lib/systemd/system/bacula-director.service | 24 --------------------- roles/bacula-dir/tasks/main.yml | 4 ++-- .../files/etc/systemd/system/bacula-sd.service | 24 +++++++++++++++++++++ .../files/lib/systemd/system/bacula-sd.service | 24 --------------------- roles/bacula-sd/tasks/main.yml | 4 ++-- .../files/etc/systemd/system/bacula-fd.service | 22 +++++++++++++++++++ .../files/etc/systemd/system/stunnel4.service | 14 ++++++++++++ .../files/etc/systemd/system/stunnel4@.service | 23 ++++++++++++++++++++ .../files/lib/systemd/system/bacula-fd.service | 22 ------------------- .../files/lib/systemd/system/stunnel4.service | 14 ------------ .../files/lib/systemd/system/stunnel4@.service | 23 -------------------- roles/common/tasks/bacula.yml | 4 ++-- roles/common/tasks/stunnel.yml | 4 ++-- .../lists/files/etc/systemd/system/wwsympa.service | 25 ++++++++++++++++++++++ .../lists/files/etc/systemd/system/wwsympa.socket | 11 ++++++++++ .../lists/files/lib/systemd/system/wwsympa.service | 25 ---------------------- .../lists/files/lib/systemd/system/wwsympa.socket | 11 ---------- roles/lists/tasks/sympa.yml | 4 ++-- .../etc/systemd/system/munin-cgi-graph.service | 23 ++++++++++++++++++++ .../etc/systemd/system/munin-cgi-graph.socket | 11 ++++++++++ .../etc/systemd/system/munin-cgi-html.service | 22 +++++++++++++++++++ .../files/etc/systemd/system/munin-cgi-html.socket | 11 ++++++++++ .../lib/systemd/system/munin-cgi-graph.service | 23 -------------------- .../lib/systemd/system/munin-cgi-graph.socket | 11 ---------- .../lib/systemd/system/munin-cgi-html.service | 22 ------------------- .../files/lib/systemd/system/munin-cgi-html.socket | 11 ---------- roles/munin-master/tasks/main.yml | 8 +++---- 28 files changed, 224 insertions(+), 224 deletions(-) create mode 100644 roles/bacula-dir/files/etc/systemd/system/bacula-director.service delete mode 100644 roles/bacula-dir/files/lib/systemd/system/bacula-director.service create mode 100644 roles/bacula-sd/files/etc/systemd/system/bacula-sd.service delete mode 100644 roles/bacula-sd/files/lib/systemd/system/bacula-sd.service create mode 100644 roles/common/files/etc/systemd/system/bacula-fd.service create mode 100644 roles/common/files/etc/systemd/system/stunnel4.service create mode 100644 roles/common/files/etc/systemd/system/stunnel4@.service delete mode 100644 roles/common/files/lib/systemd/system/bacula-fd.service delete mode 100644 roles/common/files/lib/systemd/system/stunnel4.service delete mode 100644 roles/common/files/lib/systemd/system/stunnel4@.service create mode 100644 roles/lists/files/etc/systemd/system/wwsympa.service create mode 100644 roles/lists/files/etc/systemd/system/wwsympa.socket delete mode 100644 roles/lists/files/lib/systemd/system/wwsympa.service delete mode 100644 roles/lists/files/lib/systemd/system/wwsympa.socket create mode 100644 roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service create mode 100644 roles/munin-master/files/etc/systemd/system/munin-cgi-graph.socket create mode 100644 roles/munin-master/files/etc/systemd/system/munin-cgi-html.service create mode 100644 roles/munin-master/files/etc/systemd/system/munin-cgi-html.socket delete mode 100644 roles/munin-master/files/lib/systemd/system/munin-cgi-graph.service delete mode 100644 roles/munin-master/files/lib/systemd/system/munin-cgi-graph.socket delete mode 100644 roles/munin-master/files/lib/systemd/system/munin-cgi-html.service delete mode 100644 roles/munin-master/files/lib/systemd/system/munin-cgi-html.socket (limited to 'roles') diff --git a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service new file mode 100644 index 0000000..8f952c6 --- /dev/null +++ b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service @@ -0,0 +1,24 @@ +[Unit] +Description=Bacula Director service +After=network.target + +[Service] +Type=forking +PIDFile=/var/run/bacula/bacula-dir.9101.pid +StandardOutput=syslog +User=bacula +Group=bacula +ExecStart=/usr/sbin/bacula-dir -c /etc/bacula/bacula-dir.conf + +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=full +ReadOnlyDirectories=/ +ReadWriteDirectories=-/var/lib/bacula +ReadWriteDirectories=-/var/log/bacula +ReadWriteDirectories=-/var/run/bacula + +[Install] +WantedBy=multi-user.target diff --git a/roles/bacula-dir/files/lib/systemd/system/bacula-director.service b/roles/bacula-dir/files/lib/systemd/system/bacula-director.service deleted file mode 100644 index 8f952c6..0000000 --- a/roles/bacula-dir/files/lib/systemd/system/bacula-director.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=Bacula Director service -After=network.target - -[Service] -Type=forking -PIDFile=/var/run/bacula/bacula-dir.9101.pid -StandardOutput=syslog -User=bacula -Group=bacula -ExecStart=/usr/sbin/bacula-dir -c /etc/bacula/bacula-dir.conf - -# Hardening -NoNewPrivileges=yes -PrivateDevices=yes -ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ -ReadWriteDirectories=-/var/lib/bacula -ReadWriteDirectories=-/var/log/bacula -ReadWriteDirectories=-/var/run/bacula - -[Install] -WantedBy=multi-user.target diff --git a/roles/bacula-dir/tasks/main.yml b/roles/bacula-dir/tasks/main.yml index 30a25c1..5a23dc5 100644 --- a/roles/bacula-dir/tasks/main.yml +++ b/roles/bacula-dir/tasks/main.yml @@ -40,8 +40,8 @@ - Restart bacula-director - name: Copy bacula-director.service - copy: src=lib/systemd/system/bacula-director.service - dest=/lib/systemd/system/bacula-director.service + copy: src=etc/systemd/system/bacula-director.service + dest=/etc/systemd/system/bacula-director.service owner=root group=root mode=0644 notify: diff --git a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service new file mode 100644 index 0000000..698ad17 --- /dev/null +++ b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service @@ -0,0 +1,24 @@ +[Unit] +Description=Bacula Storage Daemon service +After=network.target + +[Service] +Type=forking +PIDFile=/var/run/bacula/bacula-sd.9103.pid +StandardOutput=syslog +User=bacula +Group=tape +ExecStart=/usr/sbin/bacula-sd -c /etc/bacula/bacula-sd.conf + +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=full +ReadOnlyDirectories=/ +ReadWriteDirectories=-/var/lib/bacula +ReadWriteDirectories=-/var/run/bacula +ReadWriteDirectories=/mnt/backup/bacula + +[Install] +WantedBy=multi-user.target diff --git a/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service b/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service deleted file mode 100644 index 698ad17..0000000 --- a/roles/bacula-sd/files/lib/systemd/system/bacula-sd.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=Bacula Storage Daemon service -After=network.target - -[Service] -Type=forking -PIDFile=/var/run/bacula/bacula-sd.9103.pid -StandardOutput=syslog -User=bacula -Group=tape -ExecStart=/usr/sbin/bacula-sd -c /etc/bacula/bacula-sd.conf - -# Hardening -NoNewPrivileges=yes -PrivateDevices=yes -ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ -ReadWriteDirectories=-/var/lib/bacula -ReadWriteDirectories=-/var/run/bacula -ReadWriteDirectories=/mnt/backup/bacula - -[Install] -WantedBy=multi-user.target diff --git a/roles/bacula-sd/tasks/main.yml b/roles/bacula-sd/tasks/main.yml index ad77db4..19ae2f3 100644 --- a/roles/bacula-sd/tasks/main.yml +++ b/roles/bacula-sd/tasks/main.yml @@ -18,8 +18,8 @@ - Restart bacula-sd - name: Copy bacula-sd.service - copy: src=lib/systemd/system/bacula-sd.service - dest=/lib/systemd/system/bacula-sd.service + copy: src=etc/systemd/system/bacula-sd.service + dest=/etc/systemd/system/bacula-sd.service owner=root group=root mode=0644 notify: diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service new file mode 100644 index 0000000..ee5afe3 --- /dev/null +++ b/roles/common/files/etc/systemd/system/bacula-fd.service @@ -0,0 +1,22 @@ +[Unit] +Description=Bacula File Daemon service +After=network.target + +[Service] +Type=forking +PIDFile=/var/run/bacula/bacula-fd.9102.pid +StandardOutput=syslog +ExecStart=/usr/sbin/bacula-fd -c /etc/bacula/bacula-fd.conf + +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectHome=read-only +ProtectSystem=full +PrivateTmp=yes +ReadOnlyDirectories=/ +ReadWriteDirectories=-/var/lib +ReadWriteDirectories=-/var/run/bacula + +[Install] +WantedBy=multi-user.target diff --git a/roles/common/files/etc/systemd/system/stunnel4.service b/roles/common/files/etc/systemd/system/stunnel4.service new file mode 100644 index 0000000..990e07b --- /dev/null +++ b/roles/common/files/etc/systemd/system/stunnel4.service @@ -0,0 +1,14 @@ +# This service is actually a systemd target, +# but we are using a service since targets cannot be reloaded. + +[Unit] +Description=SSL tunnel for network daemons (multi-instance-master) + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/true +ExecReload=/bin/true + +[Install] +WantedBy=multi-user.target diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service new file mode 100644 index 0000000..e53d29e --- /dev/null +++ b/roles/common/files/etc/systemd/system/stunnel4@.service @@ -0,0 +1,23 @@ +[Unit] +Description=SSL tunnel for network daemons (instance %i) +After=network.target nss-lookup.target +PartOf=stunnel4.service +ReloadPropagatedFrom=stunnel4.service + +[Service] +ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf +ExecReload=/bin/kill -HUP ${MAINPID} +KillSignal=SIGINT +TimeoutStartSec=120 +TimeoutStopSec=60 +Restart=on-failure + +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=full +ReadOnlyDirectories=/ + +[Install] +WantedBy=multi-user.target diff --git a/roles/common/files/lib/systemd/system/bacula-fd.service b/roles/common/files/lib/systemd/system/bacula-fd.service deleted file mode 100644 index ee5afe3..0000000 --- a/roles/common/files/lib/systemd/system/bacula-fd.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=Bacula File Daemon service -After=network.target - -[Service] -Type=forking -PIDFile=/var/run/bacula/bacula-fd.9102.pid -StandardOutput=syslog -ExecStart=/usr/sbin/bacula-fd -c /etc/bacula/bacula-fd.conf - -# Hardening -NoNewPrivileges=yes -PrivateDevices=yes -ProtectHome=read-only -ProtectSystem=full -PrivateTmp=yes -ReadOnlyDirectories=/ -ReadWriteDirectories=-/var/lib -ReadWriteDirectories=-/var/run/bacula - -[Install] -WantedBy=multi-user.target diff --git a/roles/common/files/lib/systemd/system/stunnel4.service b/roles/common/files/lib/systemd/system/stunnel4.service deleted file mode 100644 index 990e07b..0000000 --- a/roles/common/files/lib/systemd/system/stunnel4.service +++ /dev/null @@ -1,14 +0,0 @@ -# This service is actually a systemd target, -# but we are using a service since targets cannot be reloaded. - -[Unit] -Description=SSL tunnel for network daemons (multi-instance-master) - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/bin/true -ExecReload=/bin/true - -[Install] -WantedBy=multi-user.target diff --git a/roles/common/files/lib/systemd/system/stunnel4@.service b/roles/common/files/lib/systemd/system/stunnel4@.service deleted file mode 100644 index e53d29e..0000000 --- a/roles/common/files/lib/systemd/system/stunnel4@.service +++ /dev/null @@ -1,23 +0,0 @@ -[Unit] -Description=SSL tunnel for network daemons (instance %i) -After=network.target nss-lookup.target -PartOf=stunnel4.service -ReloadPropagatedFrom=stunnel4.service - -[Service] -ExecStart=/usr/bin/stunnel4 /etc/stunnel/%i.conf -ExecReload=/bin/kill -HUP ${MAINPID} -KillSignal=SIGINT -TimeoutStartSec=120 -TimeoutStopSec=60 -Restart=on-failure - -# Hardening -NoNewPrivileges=yes -PrivateDevices=yes -ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ - -[Install] -WantedBy=multi-user.target diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml index 35666bd..73a2fa1 100644 --- a/roles/common/tasks/bacula.yml +++ b/roles/common/tasks/bacula.yml @@ -55,8 +55,8 @@ - genkey - name: Copy bacula-fd.service - copy: src=lib/systemd/system/bacula-fd.service - dest=/lib/systemd/system/bacula-fd.service + copy: src=etc/systemd/system/bacula-fd.service + dest=/etc/systemd/system/bacula-fd.service owner=root group=root mode=0644 notify: diff --git a/roles/common/tasks/stunnel.yml b/roles/common/tasks/stunnel.yml index 68469cd..7cb8823 100644 --- a/roles/common/tasks/stunnel.yml +++ b/roles/common/tasks/stunnel.yml @@ -9,8 +9,8 @@ mode=0644 - name: Copy stunnel4 service file - copy: src=lib/systemd/system/{{ item }} - dest=/lib/systemd/system/{{ item }} + copy: src=etc/systemd/system/{{ item }} + dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 notify: diff --git a/roles/lists/files/etc/systemd/system/wwsympa.service b/roles/lists/files/etc/systemd/system/wwsympa.service new file mode 100644 index 0000000..4e3d94b --- /dev/null +++ b/roles/lists/files/etc/systemd/system/wwsympa.service @@ -0,0 +1,25 @@ +[Unit] +Description=WWSympa Service +After=network.target +PartOf=sympa.service +Requires=wwsympa.socket + +[Service] +StandardInput=socket +User=sympa +Group=sympa +ExecStart=/usr/lib/cgi-bin/sympa/wwsympa.fcgi + +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=full +PrivateTmp=yes +ReadOnlyDirectories=/ +ReadWriteDirectories=-/var/lib/sympa +ReadWriteDirectories=-/var/run/sympa +ReadWriteDirectories=-/var/spool/sympa + +[Install] +WantedBy=multi-user.target diff --git a/roles/lists/files/etc/systemd/system/wwsympa.socket b/roles/lists/files/etc/systemd/system/wwsympa.socket new file mode 100644 index 0000000..10fe721 --- /dev/null +++ b/roles/lists/files/etc/systemd/system/wwsympa.socket @@ -0,0 +1,11 @@ +[Unit] +Description=WWSympa Listen Socket + +[Socket] +SocketUser=www-data +SocketGroup=www-data +SocketMode=0600 +ListenStream=/run/wwsympa.socket + +[Install] +WantedBy=sockets.target diff --git a/roles/lists/files/lib/systemd/system/wwsympa.service b/roles/lists/files/lib/systemd/system/wwsympa.service deleted file mode 100644 index 4e3d94b..0000000 --- a/roles/lists/files/lib/systemd/system/wwsympa.service +++ /dev/null @@ -1,25 +0,0 @@ -[Unit] -Description=WWSympa Service -After=network.target -PartOf=sympa.service -Requires=wwsympa.socket - -[Service] -StandardInput=socket -User=sympa -Group=sympa -ExecStart=/usr/lib/cgi-bin/sympa/wwsympa.fcgi - -# Hardening -NoNewPrivileges=yes -PrivateDevices=yes -ProtectHome=yes -ProtectSystem=full -PrivateTmp=yes -ReadOnlyDirectories=/ -ReadWriteDirectories=-/var/lib/sympa -ReadWriteDirectories=-/var/run/sympa -ReadWriteDirectories=-/var/spool/sympa - -[Install] -WantedBy=multi-user.target diff --git a/roles/lists/files/lib/systemd/system/wwsympa.socket b/roles/lists/files/lib/systemd/system/wwsympa.socket deleted file mode 100644 index 10fe721..0000000 --- a/roles/lists/files/lib/systemd/system/wwsympa.socket +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=WWSympa Listen Socket - -[Socket] -SocketUser=www-data -SocketGroup=www-data -SocketMode=0600 -ListenStream=/run/wwsympa.socket - -[Install] -WantedBy=sockets.target diff --git a/roles/lists/tasks/sympa.yml b/roles/lists/tasks/sympa.yml index 981de8a..4aaa2c9 100644 --- a/roles/lists/tasks/sympa.yml +++ b/roles/lists/tasks/sympa.yml @@ -75,8 +75,8 @@ - meta: flush_handlers - name: Copy wwsympa.{service,socket} - copy: src=lib/systemd/system/{{ item }} - dest=/lib/systemd/system/{{ item }} + copy: src=etc/systemd/system/{{ item }} + dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 notify: diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service new file mode 100644 index 0000000..60ab444 --- /dev/null +++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service @@ -0,0 +1,23 @@ +[Unit] +Description=Munin CGI Graph Service +After=network.target +PartOf=munin.service +Requires=munin-cgi-graph.socket + +[Service] +StandardInput=socket +User=www-data +Group=munin +ExecStart=/usr/lib/munin/cgi/munin-cgi-graph + +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=full +ReadOnlyDirectories=/ +ReadWriteDirectories=-/var/log/munin +ReadWriteDirectories=-/var/lib/munin/cgi-tmp/munin-cgi-graph + +[Install] +WantedBy=multi-user.target diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.socket b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.socket new file mode 100644 index 0000000..d4d2e27 --- /dev/null +++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.socket @@ -0,0 +1,11 @@ +[Unit] +Description=Munin CGI Graph Listen Socket + +[Socket] +SocketUser=www-data +SocketGroup=www-data +SocketMode=0600 +ListenStream=/run/munin/cgi-graph.socket + +[Install] +WantedBy=sockets.target diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service new file mode 100644 index 0000000..119d3a2 --- /dev/null +++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service @@ -0,0 +1,22 @@ +[Unit] +Description=Munin CGI HTML Service +After=network.target +PartOf=munin.service +Requires=munin-cgi-html.socket + +[Service] +StandardInput=socket +User=www-data +Group=munin +ExecStart=/usr/lib/munin/cgi/munin-cgi-html + +# Hardening +NoNewPrivileges=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=full +ReadOnlyDirectories=/ +ReadWriteDirectories=-/var/log/munin + +[Install] +WantedBy=multi-user.target diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-html.socket b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.socket new file mode 100644 index 0000000..77be2cf --- /dev/null +++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.socket @@ -0,0 +1,11 @@ +[Unit] +Description=Munin CGI HTML Listen Socket + +[Socket] +SocketUser=www-data +SocketGroup=www-data +SocketMode=0600 +ListenStream=/run/munin/cgi-html.socket + +[Install] +WantedBy=sockets.target diff --git a/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.service b/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.service deleted file mode 100644 index 60ab444..0000000 --- a/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.service +++ /dev/null @@ -1,23 +0,0 @@ -[Unit] -Description=Munin CGI Graph Service -After=network.target -PartOf=munin.service -Requires=munin-cgi-graph.socket - -[Service] -StandardInput=socket -User=www-data -Group=munin -ExecStart=/usr/lib/munin/cgi/munin-cgi-graph - -# Hardening -NoNewPrivileges=yes -PrivateDevices=yes -ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ -ReadWriteDirectories=-/var/log/munin -ReadWriteDirectories=-/var/lib/munin/cgi-tmp/munin-cgi-graph - -[Install] -WantedBy=multi-user.target diff --git a/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.socket b/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.socket deleted file mode 100644 index d4d2e27..0000000 --- a/roles/munin-master/files/lib/systemd/system/munin-cgi-graph.socket +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Munin CGI Graph Listen Socket - -[Socket] -SocketUser=www-data -SocketGroup=www-data -SocketMode=0600 -ListenStream=/run/munin/cgi-graph.socket - -[Install] -WantedBy=sockets.target diff --git a/roles/munin-master/files/lib/systemd/system/munin-cgi-html.service b/roles/munin-master/files/lib/systemd/system/munin-cgi-html.service deleted file mode 100644 index 119d3a2..0000000 --- a/roles/munin-master/files/lib/systemd/system/munin-cgi-html.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=Munin CGI HTML Service -After=network.target -PartOf=munin.service -Requires=munin-cgi-html.socket - -[Service] -StandardInput=socket -User=www-data -Group=munin -ExecStart=/usr/lib/munin/cgi/munin-cgi-html - -# Hardening -NoNewPrivileges=yes -PrivateDevices=yes -ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ -ReadWriteDirectories=-/var/log/munin - -[Install] -WantedBy=multi-user.target diff --git a/roles/munin-master/files/lib/systemd/system/munin-cgi-html.socket b/roles/munin-master/files/lib/systemd/system/munin-cgi-html.socket deleted file mode 100644 index 77be2cf..0000000 --- a/roles/munin-master/files/lib/systemd/system/munin-cgi-html.socket +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Munin CGI HTML Listen Socket - -[Socket] -SocketUser=www-data -SocketGroup=www-data -SocketMode=0600 -ListenStream=/run/munin/cgi-html.socket - -[Install] -WantedBy=sockets.target diff --git a/roles/munin-master/tasks/main.yml b/roles/munin-master/tasks/main.yml index bcdc509..8c7a6a6 100644 --- a/roles/munin-master/tasks/main.yml +++ b/roles/munin-master/tasks/main.yml @@ -43,8 +43,8 @@ - munin-cgi-html.log - name: Copy munin-cgi-graph.{service,socket} - copy: src=lib/systemd/system/{{ item }} - dest=/lib/systemd/system/{{ item }} + copy: src=etc/systemd/system/{{ item }} + dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 notify: @@ -55,8 +55,8 @@ - munin-cgi-graph.socket - name: Copy munin-cgi-html.{service,socket} - copy: src=lib/systemd/system/{{ item }} - dest=/lib/systemd/system/{{ item }} + copy: src=etc/systemd/system/{{ item }} + dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644 notify: -- cgit v1.2.3