archwiki: use a drop-in file for memcached@.service instead of an entirely custom unit

This allows to retain all default hardening options that memcached@.service has.

archwiki: use a drop-in file for memcached@.service instead of an entirely custom unit
cb89551f · nl6720 · d6722ad8 · cb89551f · d6722ad8 · cb89551f
Unverified Commit cb89551f authored 2 years ago by nl6720
--- a/roles/archwiki/tasks/main.yml
+++ b/roles/archwiki/tasks/main.yml
@@ -83,12 +83,18 @@
  notify:
    - restart php-fpm@{{ archwiki_user }}

- name: install archwiki memcached service
-  template: src="archwiki-memcached.service.j2" dest="/etc/systemd/system/archwiki-memcached.service" owner=root group=root mode=0644
-
 - name: start and enable systemd socket
  service: name=php-fpm@{{ archwiki_user }}.socket state=started enabled=true

+- name: create memcached.service.d drop-in directory
+  file: path=/etc/systemd/system/memcached@archwiki.service.d state=directory owner=root group=root mode=0755
+
+- name: install memcached.service drop-in
+  template: src="memcached.service.d-archwiki.conf.j2" dest="/etc/systemd/system/memcached@archwiki.service.d/archwiki.conf" owner=root group=root mode=0644
+
+- name: start and enable memcached service
+  service: name=memcached@archwiki.service state=started enabled=true daemon_reload=true
+
 - name: install systemd services/timers
  template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
  loop:
@@ -98,7 +104,6 @@
    - archwiki-prune-cache.service
    - archwiki-prune-cache.timer
    - archwiki-question-updater.service
-    - archwiki-memcached.service

 - name: start and enable archwiki timers and services
  systemd:
@@ -110,7 +115,6 @@
    - archwiki-runjobs.timer
    - archwiki-prune-cache.timer
    - archwiki-runjobs-wait.service
-    - archwiki-memcached.service

 - name: create question answer file
  systemd:

--- a/roles/archwiki/templates/archwiki-memcached.service.j2
+++ b/roles/archwiki/templates/archwiki-memcached.service.j2
-[Unit]
-Description=Archwiki Memcached Daemon
-After=network.target
-
-[Service]
-User={{ archwiki_user }}
-Group=memcached
-ExecStart=/usr/bin/memcached -s {{ archwiki_memcached_socket }} -m {{ archwiki_memcached_memory }} -o modern -a 770
-Restart=always
-NoNewPrivileges=yes
-PrivateTmp=yes
-ProtectHome=true
-PrivateDevices=yes
-ProtectSystem=full
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectControlGroups=true
-MemoryDenyWriteExecute=yes
-
-[Install]
-WantedBy=multi-user.target
--- a/roles/archwiki/templates/memcached.service.d-archwiki.conf.j2
+++ b/roles/archwiki/templates/memcached.service.d-archwiki.conf.j2
+[Service]
+User={{ archwiki_user }}
+Group=memcached
+Environment=CACHESIZE={{ archwiki_memcached_memory }}
+Environment=LISTEN="-s {{ archwiki_memcached_socket }} -a 770"
+ProtectHome=true