From cb89551f520e77184377d555da9117f19c138f6c Mon Sep 17 00:00:00 2001
From: nl6720 <nl6720@gmail.com>
Date: Thu, 9 Jun 2022 15:17:55 +0300
Subject: [PATCH] archwiki: use a drop-in file for memcached@.service instead
 of an entirely custom unit

This allows to retain all default hardening options that memcached@.service has.
---
 roles/archwiki/tasks/main.yml                 | 14 ++++++++-----
 .../templates/archwiki-memcached.service.j2   | 21 -------------------
 .../memcached.service.d-archwiki.conf.j2      |  6 ++++++
 3 files changed, 15 insertions(+), 26 deletions(-)
 delete mode 100644 roles/archwiki/templates/archwiki-memcached.service.j2
 create mode 100644 roles/archwiki/templates/memcached.service.d-archwiki.conf.j2

diff --git a/roles/archwiki/tasks/main.yml b/roles/archwiki/tasks/main.yml
index 6a8a80b02..215f49e53 100644
--- a/roles/archwiki/tasks/main.yml
+++ b/roles/archwiki/tasks/main.yml
@@ -83,12 +83,18 @@
   notify:
     - restart php-fpm@{{ archwiki_user }}
 
-- name: install archwiki memcached service
-  template: src="archwiki-memcached.service.j2" dest="/etc/systemd/system/archwiki-memcached.service" owner=root group=root mode=0644
-
 - name: start and enable systemd socket
   service: name=php-fpm@{{ archwiki_user }}.socket state=started enabled=true
 
+- name: create memcached.service.d drop-in directory
+  file: path=/etc/systemd/system/memcached@archwiki.service.d state=directory owner=root group=root mode=0755
+
+- name: install memcached.service drop-in
+  template: src="memcached.service.d-archwiki.conf.j2" dest="/etc/systemd/system/memcached@archwiki.service.d/archwiki.conf" owner=root group=root mode=0644
+
+- name: start and enable memcached service
+  service: name=memcached@archwiki.service state=started enabled=true daemon_reload=true
+
 - name: install systemd services/timers
   template: src="{{ item }}.j2" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
   loop:
@@ -98,7 +104,6 @@
     - archwiki-prune-cache.service
     - archwiki-prune-cache.timer
     - archwiki-question-updater.service
-    - archwiki-memcached.service
 
 - name: start and enable archwiki timers and services
   systemd:
@@ -110,7 +115,6 @@
     - archwiki-runjobs.timer
     - archwiki-prune-cache.timer
     - archwiki-runjobs-wait.service
-    - archwiki-memcached.service
 
 - name: create question answer file
   systemd:
diff --git a/roles/archwiki/templates/archwiki-memcached.service.j2 b/roles/archwiki/templates/archwiki-memcached.service.j2
deleted file mode 100644
index 37c00bd85..000000000
--- a/roles/archwiki/templates/archwiki-memcached.service.j2
+++ /dev/null
@@ -1,21 +0,0 @@
-[Unit]
-Description=Archwiki Memcached Daemon
-After=network.target
-
-[Service]
-User={{ archwiki_user }}
-Group=memcached
-ExecStart=/usr/bin/memcached -s {{ archwiki_memcached_socket }} -m {{ archwiki_memcached_memory }} -o modern -a 770
-Restart=always
-NoNewPrivileges=yes
-PrivateTmp=yes
-ProtectHome=true
-PrivateDevices=yes
-ProtectSystem=full
-ProtectKernelTunables=true
-ProtectKernelModules=true
-ProtectControlGroups=true
-MemoryDenyWriteExecute=yes
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/archwiki/templates/memcached.service.d-archwiki.conf.j2 b/roles/archwiki/templates/memcached.service.d-archwiki.conf.j2
new file mode 100644
index 000000000..50acbb88a
--- /dev/null
+++ b/roles/archwiki/templates/memcached.service.d-archwiki.conf.j2
@@ -0,0 +1,6 @@
+[Service]
+User={{ archwiki_user }}
+Group=memcached
+Environment=CACHESIZE={{ archwiki_memcached_memory }}
+Environment=LISTEN="-s {{ archwiki_memcached_socket }} -a 770"
+ProtectHome=true
-- 
GitLab