Commit 7e24b6a2 authored by hashworks's avatar hashworks

Switch deployment to non-root user

parent 38e17aad
Pipeline #108 skipped
......@@ -3,40 +3,33 @@
tasks:
- name: Create backup of systemd unit file with fixed name
copy:
src: /etc/systemd/system/hashworksNET.service
dest: /etc/systemd/system/hashworksNET.service.bak
src: ~/.config/systemd/user/hashworksNET.service
dest: ~/.config/systemd/user/hashworksNET.service.bak
remote_src: yes
owner: root
group: root
mode: 0600
- name: Copy systemd unit file
copy:
src: ../systemd/hashworksNET.service
dest: /etc/systemd/system/hashworksNET.service
owner: root
group: root
dest: ~/.config/systemd/user/hashworksNET.service
mode: 0600
- name: Create backup of binary file with fixed name
copy:
src: /usr/local/bin/hashworksNET
dest: /usr/local/bin/hashworksNET.bak
src: ~/bin/hashworksNET
dest: ~/bin/hashworksNET.bak
remote_src: yes
owner: root
group: root
mode: 0775
mode: 0770
- name: Copy binary
copy:
src: ../bin/hashworksNET
dest: /usr/local/bin/hashworksNET
owner: root
group: root
mode: 0775
dest: ~/bin/hashworksNET
mode: 0770
- name: Restart systemd service
systemd:
name: hashworksNET
scope: user
daemon_reload: true
state: restarted
......@@ -2,4 +2,4 @@
hive.hashworks.net
[hive:vars]
ansible_ssh_user=root
ansible_ssh_user=ansible_hashworksnet
[Unit]
Description=hashworks.net Server
ConditionFileIsExecutable=/usr/local/bin/hashworksNET
ConditionFileIsExecutable=%h/bin/hashworksNET
[Service]
EnvironmentFile=/etc/hashworksNET/server.conf
ExecStart=/usr/local/bin/hashworksNET
EnvironmentFile=%h/server.conf
ExecStart=%h/bin/hashworksNET
DynamicUser=true
# implies:
# ProtectSystem=strict
# ProtectHome=read-only
# RemoveIPC=
# PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=yes
NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
Restart=always
RestartSec=3
[Install]
WantedBy=multi-user.target
\ No newline at end of file
WantedBy=default.target
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment