Commit ae3fb252 authored by Noah Hilverling's avatar Noah Hilverling

Do not use generate-systemd-service-files

parent 4ca6895f
Pipeline #7431 passed with stages
in 1 minute and 44 seconds
#!/bin/sh
for BINARY in icinga-redis icinga-redis-sentinel
do
for MODE in default
# templated
do
case "${BINARY}" in
icinga-redis)
NAME="redis"
;;
icinga-redis-sentinel)
NAME="sentinel"
;;
esac
case "${MODE}" in
default)
EXTRA=""
TARGET="debian/${BINARY}.service"
NAMESPACED="${NAME}"
DESCRIPTION="Advanced key-value store for Icinga"
;;
templated)
EXTRA=""
TARGET="debian/${BINARY}@.service"
NAMESPACED="${NAME}-%i"
DESCRIPTION="Advanced key-value store for Icinga (%I)"
;;
esac
: >${TARGET}
if [ "${MODE}" = "templated" ]
then
cat >> ${TARGET} <<EOF
# Templated service file for ${BINARY}(1)
#
# Each instance of ${BINARY} requires its own configuration file:
#
# $ cp /etc/redis/${NAME}.conf /etc/redis/${NAME}-myname.conf
# $ chown redis:redis /etc/redis/${NAME}-myname.conf
#
# Ensure each instance is using their own database:
#
# $ sed -i -e 's@^dbfilename .*@dbfilename dump-myname.rdb@' /etc/redis/${NAME}-myname.conf
#
# We then listen exlusively on UNIX sockets to avoid TCP port collisions:
#
# $ sed -i -e 's@^port .*@port 0@' /etc/redis/${NAME}-myname.conf
# $ sed -i -e 's@^\\(# \\)\\{0,1\\}unixsocket .*@unixsocket /var/run/${NAME}-myname/${BINARY}.sock@' /etc/redis/${NAME}-myname.conf
#
# ... and ensure we are logging, etc. in a unique location:
#
# $ sed -i -e 's@^logfile .*@logfile /var/log/redis/${BINARY}-myname.log@' /etc/redis/${NAME}-myname.conf
# $ sed -i -e 's@^pidfile .*@pidfile /run/redis-myname/${BINARY}.pid@' /etc/redis/${NAME}-myname.conf
#
# We can then start the service as follows, validating we are using our own
# configuration:
#
# $ systemctl start ${BINARY}@myname.service
# $ redis-cli -s /var/run/${NAME}-myname/${BINARY}.sock info | grep config_file
#
# -- Chris Lamb <lamby@debian.org> Mon, 09 Oct 2017 22:17:24 +0100
EOF
fi
cat >> ${TARGET} <<EOF
[Unit]
Description=${DESCRIPTION}
After=network.target
Documentation=http://redis.io/documentation, man:${BINARY}(1)
[Service]
Type=forking
ExecStart=/usr/bin/${BINARY} /etc/redis/${NAMESPACED}.conf
ExecStop=/bin/kill -s TERM \$MAINPID
PIDFile=/run/${NAMESPACED}/${BINARY}.pid
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=${NAMESPACED}
RuntimeDirectoryMode=2755
UMask=007
PrivateTmp=yes
LimitNOFILE=65535
PrivateDevices=yes
ProtectHome=yes
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/redis
ReadWriteDirectories=-/var/log/redis
ReadWriteDirectories=-/var/run/${NAMESPACED}
NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
# ${BINARY} can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you replace the following lines with "ProtectSystem=full".
ProtectSystem=true
ReadWriteDirectories=-/etc/redis
[Install]
WantedBy=multi-user.target
EOF
if [ "${EXTRA}" != "" ]
then
echo "${EXTRA}" >> "${TARGET}"
fi
done
done
debian/bash_completion.d/* /usr/share/bash-completion/completions
debian/icinga-redis.service /lib/systemd/system
redis.conf /etc/icinga-redis
src/icinga-redis-benchmark /usr/bin
src/icinga-redis-check-aof /usr/bin
......
[Unit]
Description=Advanced key-value store for Icinga
After=network.target
Documentation=http://redis.io/documentation, man:icinga-redis(1)
[Service]
Type=notify
ExecStart=/usr/bin/icinga-redis-server /etc/icinga-redis/redis.conf --supervised systemd
TimeoutStopSec=0
Restart=always
User=icinga-redis
Group=icinga-redis
RuntimeDirectory=icinga-redis
RuntimeDirectoryMode=2755
UMask=007
PrivateTmp=yes
LimitNOFILE=65535
PrivateDevices=yes
ProtectHome=yes
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/icinga-redis
ReadWriteDirectories=-/var/log/icinga-redis
ReadWriteDirectories=-/var/run/icinga-redis
NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
# icinga-redis can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you replace the following lines with "ProtectSystem=full".
ProtectSystem=true
ReadWriteDirectories=-/etc/icinga-redis
[Install]
WantedBy=multi-user.target
\ No newline at end of file
......@@ -38,7 +38,7 @@ debian/lua_libs_debian.c:
override_dh_auto_clean:
dh_auto_clean
rm -f src/release.h debian/*.service debian/lua_libs_debian.c
rm -f src/release.h debian/lua_libs_debian.c
override_dh_auto_build: debian/lua_libs_debian.c
# Build the non-bundled Lua libraries
......@@ -57,7 +57,6 @@ ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
endif
override_dh_auto_install:
debian/bin/generate-systemd-service-files
override_dh_compress:
dh_compress -Xicinga-redis-trib.rb
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment