Initial commit with haproxy service

2020-05-16 20:28:54 +02:00 · 2020-05-16 20:28:54 +02:00 · 29497278df
commit 29497278df
3 changed files with 43 additions and 0 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,7 @@
+- name: Run service actions
+  loop: "{{ systemd }}"
+  systemd:
+        name: '{{ item.name }}'
+        enabled: "{% if item.enabled %}yes{% else %}no{% endif %}"
+        state: "{{ item.action }}"
+        daemon_reload: "{% if item.daemon_reload %}yes{% else %}no{% endif %}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,13 @@
+- name: Create override directories
+  loop: "{{ systemd }}"
+  file:
+        follow: yes
+        path: "/etc/systemd/system/{{ item.name }}.service.d/"
+        state: directory
+- name: Template service overrides
+  loop: "{{ systemd }}"
+  template:
+        follow: yes
+        src: "{{ item.name }}.service.j2"
+        dest: "/etc/systemd/system/{{ item.name }}.service.d/override.conf"
+  handlers: Run service actions
--- a/templates/haproxy.service.j2
+++ b/templates/haproxy.service.j2
@ -0,0 +1,23 @@
+[Service]
+User=nobody
+Group=nogroup
+
+Environment=
+Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy/haproxy.pid"
+
+ProtectHome=true
+ProtectSystem=true
+PrivateTmp=yes
+PrivateDevices=yes
+RuntimeDirectory=haproxy
+
+NoNewPrivileges=true
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+LockPersonality=yes