feat: allow disabling systemd hardening (#74)

jooola · web-flow · commit 8d4f4c97c921 · 2024-01-07T13:51:05.000+01:00
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,6 +1,7 @@
 ---
 libretime_allow_restart: true
 libretime_migrate: true
+libretime_systemd_hardening: true
 
 # libretime_config_template:
 libretime_public_url: "http://localhost:{{ libretime_listen_port }}/"
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -33,11 +33,13 @@ provisioner:
         libretime_playout_systemd_override: |
           [Service]
           Environment=LIBRETIME_LOG_LEVEL=debug
+        libretime_systemd_hardening: false
       instance2:
         libretime_public_url: http://localhost:{{ libretime_listen_port }}/
         libretime_listen_port: 9002
         libretime_api_key: hackme
         libretime_secret_key: hackme
+        libretime_systemd_hardening: false
 
 verifier:
   name: testinfra
diff --git a/templates/systemd/libretime-analyzer.service.j2 b/templates/systemd/libretime-analyzer.service.j2
@@ -3,6 +3,7 @@ Description=LibreTime Media Analyzer Service
 PartOf=libretime.target
 
 [Service]
+{%- if libretime_systemd_hardening %}
 NoNewPrivileges=true
 CapabilityBoundingSet=
 PrivateDevices=true
@@ -16,6 +17,7 @@ ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectProc=invisible
 ProtectSystem=full
+{%- endif %}
 
 Environment=PATH={{ libretime_venv_dir }}/bin:/usr/local/bin:/usr/bin:/bin
 Environment=LIBRETIME_CONFIG_FILEPATH={{ libretime_config_filepath }}
diff --git a/templates/systemd/libretime-api.service.j2 b/templates/systemd/libretime-api.service.j2
@@ -4,6 +4,7 @@ Requires=libretime-api.socket
 PartOf=libretime.target
 
 [Service]
+{%- if libretime_systemd_hardening %}
 NoNewPrivileges=true
 CapabilityBoundingSet=
 PrivateDevices=true
@@ -17,6 +18,7 @@ ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectProc=invisible
 ProtectSystem=full
+{%- endif %}
 
 Environment=PATH={{ libretime_venv_dir }}/bin:/usr/local/bin:/usr/bin:/bin
 Environment=LIBRETIME_CONFIG_FILEPATH={{ libretime_config_filepath }}
diff --git a/templates/systemd/libretime-liquidsoap.service.j2 b/templates/systemd/libretime-liquidsoap.service.j2
@@ -3,6 +3,7 @@ Description=LibreTime Liquidsoap Service
 PartOf=libretime.target
 
 [Service]
+{%- if libretime_systemd_hardening %}
 NoNewPrivileges=true
 CapabilityBoundingSet=
 PrivateDevices=true
@@ -16,6 +17,7 @@ ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectProc=invisible
 ProtectSystem=full
+{%- endif %}
 
 Environment=PATH={{ libretime_venv_dir }}/bin:/usr/local/bin:/usr/bin:/bin
 Environment=LIBRETIME_CONFIG_FILEPATH={{ libretime_config_filepath }}
diff --git a/templates/systemd/libretime-playout.service.j2 b/templates/systemd/libretime-playout.service.j2
@@ -5,6 +5,7 @@ Wants=libretime-liquidsoap.service
 After=libretime-liquidsoap.service
 
 [Service]
+{%- if libretime_systemd_hardening %}
 NoNewPrivileges=true
 CapabilityBoundingSet=
 PrivateDevices=true
@@ -18,6 +19,7 @@ ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectProc=invisible
 ProtectSystem=full
+{%- endif %}
 
 Environment=PATH={{ libretime_venv_dir }}/bin:/usr/local/bin:/usr/bin:/bin
 Environment=LIBRETIME_CONFIG_FILEPATH={{ libretime_config_filepath }}
diff --git a/templates/systemd/libretime-worker.service.j2 b/templates/systemd/libretime-worker.service.j2
@@ -3,6 +3,7 @@ Description=LibreTime Worker Service
 PartOf=libretime.target
 
 [Service]
+{%- if libretime_systemd_hardening %}
 NoNewPrivileges=true
 CapabilityBoundingSet=
 PrivateDevices=true
@@ -16,6 +17,7 @@ ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectProc=invisible
 ProtectSystem=full
+{%- endif %}
 
 Environment=PATH={{ libretime_venv_dir }}/bin:/usr/local/bin:/usr/bin:/bin
 Environment=LIBRETIME_CONFIG_FILEPATH={{ libretime_config_filepath }}
