diff --git a/custodia.conf b/custodia.conf index 2e46309..5e4b584 100644 --- a/custodia.conf +++ b/custodia.conf @@ -1,14 +1,7 @@ # /etc/custodia/custodia.conf - -[DEFAULT] -libdir = /var/lib/custodia -logdir = /var/log/custodia -rundir = /var/run/custodia - [global] debug = true -server_socket = ${rundir}/custodia.sock -auditlog = ${logdir}/audit.log +makedirs = true [store:sqlite] handler = SqliteStore diff --git a/custodia.service b/custodia.service deleted file mode 100644 index cfe241d..0000000 --- a/custodia.service +++ /dev/null @@ -1,14 +0,0 @@ -# /etc/systemd/system/custodia.service - -[Unit] -Description=Custodia Secrets Service -Documentation=https://github.com/latchset/custodia -Requires=custodia.socket -After=network.target - -[Service] -Type=notify -ExecStart=/usr/sbin/custodia /etc/custodia/custodia.conf - -[Install] -WantedBy=multi-user.target diff --git a/custodia.socket b/custodia.socket deleted file mode 100644 index 16f73e7..0000000 --- a/custodia.socket +++ /dev/null @@ -1,14 +0,0 @@ -# /etc/systemd/system/custodia.socket - -[Unit] -Description=Custodia Socket -Documentation=https://github.com/latchset/custodia - -[Socket] -ListenStream=/var/run/custodia/custodia.sock -SocketUser=root -SocketGroup=root -SocketMode=0666 - -[Install] -WantedBy=sockets.target diff --git a/custodia.spec b/custodia.spec index 10d0170..0a47ad5 100644 --- a/custodia.spec +++ b/custodia.spec @@ -12,15 +12,15 @@ Name: custodia Version: 0.5.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: A service to manage, retrieve and store secrets for other processes License: GPLv3+ URL: https://github.com/latchset/%{name} Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz Source2: custodia.conf -Source3: custodia.service -Source4: custodia.socket +Source3: custodia@.service +Source4: custodia@.socket Source5: custodia.tmpfiles.conf BuildArch: noarch @@ -178,6 +178,7 @@ mkdir -p %{buildroot}/%{_unitdir} mkdir -p %{buildroot}/%{_tmpfilesdir} mkdir -p %{buildroot}/%{_localstatedir}/lib/custodia mkdir -p %{buildroot}/%{_localstatedir}/log/custodia +mkdir -p %{buildroot}/%{_localstatedir}/run/custodia %{__python2} setup.py install --skip-build --root %{buildroot} mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia @@ -200,19 +201,27 @@ cp %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-3 %endif +%pre +getent group custodia >/dev/null || groupadd -r custodia +getent passwd custodia >/dev/null || \ + useradd -r -g custodia -d / -s /sbin/nologin \ + -c "User for custodia" custodia +exit 0 + + %post -%systemd_post custodia.socket -%systemd_post custodia.service +%systemd_post custodia@\*.socket +%systemd_post custodia@\*.service %preun -%systemd_preun custodia.socket -%systemd_preun custodia.service +%systemd_preun custodia@\*.socket +%systemd_preun custodia@\*.service %postun -%systemd_postun custodia.socket -%systemd_postun custodia.service +%systemd_postun custodia@\*.socket +%systemd_postun custodia@\*.service %files @@ -222,12 +231,13 @@ cp %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-3 %{_mandir}/man7/custodia* %{_sbindir}/custodia %{_bindir}/custodia-cli -%dir %attr(0700,root,root) %{_sysconfdir}/custodia -%config(noreplace) %attr(600,root,root) %{_sysconfdir}/custodia/custodia.conf -%attr(644,root,root) %{_unitdir}/custodia.socket -%attr(644,root,root) %{_unitdir}/custodia.service -%dir %attr(0700,root,root) %{_localstatedir}/lib/custodia -%dir %attr(0700,root,root) %{_localstatedir}/log/custodia +%dir %attr(0700,custodia,custodia) %{_sysconfdir}/custodia +%config(noreplace) %attr(600,custodia,custodia) %{_sysconfdir}/custodia/custodia.conf +%attr(644,root,root) %{_unitdir}/custodia@.socket +%attr(644,root,root) %{_unitdir}/custodia@.service +%dir %attr(0700,custodia,custodia) %{_localstatedir}/lib/custodia +%dir %attr(0700,custodia,custodia) %{_localstatedir}/log/custodia +%dir %attr(0755,custodia,custodia) %{_localstatedir}/run/custodia %{_tmpfilesdir}/custodia.conf %files -n python2-custodia @@ -262,6 +272,9 @@ cp %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-3 %changelog +* Mon Jul 03 2017 Christian Heimes - 0.5.0-5 +- Add custodia user and named systemd instances + * Wed Jul 26 2017 Fedora Release Engineering - 0.5.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild diff --git a/custodia.tmpfiles.conf b/custodia.tmpfiles.conf index 9ab7d5f..cacc039 100644 --- a/custodia.tmpfiles.conf +++ b/custodia.tmpfiles.conf @@ -1 +1 @@ -d /run/custodia 0755 +d /run/custodia 0755 custodia custodia diff --git a/custodia@.service b/custodia@.service new file mode 100644 index 0000000..ef539f9 --- /dev/null +++ b/custodia@.service @@ -0,0 +1,21 @@ +# /etc/systemd/system/custodia@.service + +[Unit] +Description=Custodia Secrets Service for %I +Documentation=https://github.com/latchset/custodia +Requires=custodia@%i.socket +After=network.target + +[Service] +Type=notify +ExecStart=/usr/sbin/custodia --instance=%i /etc/custodia/%i.conf +User=custodia +Group=custodia +ProtectSystem=full +ProtectHome=true +NoNewPrivileges=true +Restart=on-failure +RestartSec=30s + +[Install] +WantedBy=multi-user.target diff --git a/custodia@.socket b/custodia@.socket new file mode 100644 index 0000000..fbd0fab --- /dev/null +++ b/custodia@.socket @@ -0,0 +1,18 @@ +# /etc/systemd/system/custodia@.socket + +[Unit] +Description=Custodia Socket for %i +Documentation=https://github.com/latchset/custodia + +[Socket] +ListenStream=/var/run/custodia/%i.sock +Service=custodia@%i.service +RemoveOnStop=true +SocketUser=custodia +SocketGroup=custodia +SocketMode=0666 +PassCredentials=true +PassSecurity=true + +[Install] +WantedBy=sockets.target