anti
38832d87d5
Every decnet-*.service.j2 hardcoded User=decnet / Group=decnet. The
init CLI accepted --user / --group and used them for useradd,
chown, /etc/decnet ownership and ReadWritePaths — but the Jinja
context omitted them entirely, so
sudo decnet init --install-dir $PWD --user anti --group anti
rendered
User=decnet
Group=decnet
into every unit, which at best ran the workers as a user that didn't
match the files (fails to read the venv / config), and at worst spun
a parallel system user the operator never asked for.
Swap the hardcoded lines to {{ user }} / {{ group }} across all 13
templates and add both to the Jinja context in _install_units.
44 lines
1.1 KiB
Django/Jinja
44 lines
1.1 KiB
Django/Jinja
[Unit]
|
|
Description=DECNET Service Bus (host-local UNIX-socket pub/sub)
|
|
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Service-Bus
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User={{ user }}
|
|
Group={{ group }}
|
|
WorkingDirectory={{ install_dir }}
|
|
EnvironmentFile=-{{ install_dir }}/.env.local
|
|
# /run/decnet is created automatically with the RuntimeDirectory= directive
|
|
# below (mode 0755, owned by User/Group) and cleaned up on stop. The bus
|
|
# socket is placed inside it with 0660 perms so only the decnet group can
|
|
# connect.
|
|
RuntimeDirectory=decnet
|
|
RuntimeDirectoryMode=0755
|
|
ExecStart={{ venv_dir }}/bin/decnet bus \
|
|
--socket /run/decnet/bus.sock \
|
|
--group decnet
|
|
|
|
# No privileged network operations — UNIX-domain socket only.
|
|
CapabilityBoundingSet=
|
|
AmbientCapabilities=
|
|
|
|
# Security Hardening
|
|
NoNewPrivileges=yes
|
|
ProtectSystem=full
|
|
ProtectHome=read-only
|
|
PrivateTmp=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
ProtectControlGroups=yes
|
|
RestrictSUIDSGID=yes
|
|
LockPersonality=yes
|
|
ReadWritePaths=/run/decnet /var/log/decnet
|
|
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|