diff --git a/manifests/config.pp b/manifests/config.pp index 6a585c3..28d32bf 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -166,13 +166,20 @@ content => epp( 'vault/vault.service.epp', { + user => $vault::user, + group => $vault::group, bin_dir => $vault::bin_dir, + service_options => $vault::service_options, config_dir => $vault::config_dir, config_output => $vault::config_output, create_env_file => $vault::create_env_file, num_procs => $vault::num_procs, + disable_mlock => $vault::disable_mlock, } ), + mode => '0444', + owner => 'root', + group => 'root', } } default: { diff --git a/spec/classes/vault_spec.rb b/spec/classes/vault_spec.rb index 1104281..844698e 100644 --- a/spec/classes/vault_spec.rb +++ b/spec/classes/vault_spec.rb @@ -424,9 +424,8 @@ context 'RedHat >=7 specific' do context 'includes systemd init script' do it { - is_expected.to contain_file('/etc/systemd/system/vault.service'). + is_expected.to contain_systemd__unit_file('vault.service'). with_mode('0444'). - with_ensure('file'). with_owner('root'). with_group('root'). with_content(%r{^# vault systemd unit file}). @@ -454,9 +453,8 @@ end it { - is_expected.to contain_file('/etc/systemd/system/vault.service'). + is_expected.to contain_systemd__unit_file('vault.service'). with_mode('0444'). - with_ensure('file'). with_owner('root'). with_group('root'). with_content(%r{^# vault systemd unit file}). @@ -473,9 +471,8 @@ end it { - is_expected.to contain_file('/etc/systemd/system/vault.service'). + is_expected.to contain_systemd__unit_file('vault.service'). with_mode('0444'). - with_ensure('file'). with_owner('root'). with_group('root'). with_content(%r{^# vault systemd unit file}). @@ -598,11 +595,10 @@ context 'on Debian based with systemd' do context 'includes systemd init script' do it { - is_expected.to contain_file('/etc/systemd/system/vault.service'). - with_mode('0444'). - with_ensure('file'). + is_expected.to contain_systemd__unit_file('vault.service'). with_owner('root'). with_group('root'). + with_mode('0444'). with_content(%r{^# vault systemd unit file}). with_content(%r{^User=vault$}). with_content(%r{^Group=vault$}). @@ -628,9 +624,8 @@ end it { - is_expected.to contain_file('/etc/systemd/system/vault.service'). + is_expected.to contain_systemd__unit_file('vault.service'). with_mode('0444'). - with_ensure('file'). with_owner('root'). with_group('root'). with_content(%r{^# vault systemd unit file}). @@ -647,9 +642,8 @@ end it { - is_expected.to contain_file('/etc/systemd/system/vault.service'). + is_expected.to contain_systemd__unit_file('vault.service'). with_mode('0444'). - with_ensure('file'). with_owner('root'). with_group('root'). with_content(%r{^# vault systemd unit file}). diff --git a/templates/vault.service.epp b/templates/vault.service.epp index 16307b2..49c9e37 100644 --- a/templates/vault.service.epp +++ b/templates/vault.service.epp @@ -1,16 +1,20 @@ <% | + String $user, + String $group, String $bin_dir, + String $service_options = "", String $config_dir, String $config_output, Boolean $create_env_file, Integer $num_procs, + Boolean $disable_mlock = false, | %> # vault systemd unit file ########################################################################################################### # this file has been put in place by the jsok/vault Puppet module (https://forge.puppetlabs.com/jsok/vault) -# any changes will be overwritten if Puppet is run again -# This script is originally from: -# https://learn.hashicorp.com/vault/operations/ops-deployment-guide#step-3-configure-systemd +# any changes will be overwritten if Puppet is run again. +# +# This unit file originally from official vault package. ########################################################################################################### [Unit] @@ -27,18 +31,24 @@ Type=notify <%- if $create_env_file == true { -%> <%= $config_dir %>/vault.env <%- } -%> -User=vault -Group=vault +User=<%= $user %> +Group=<%= $group %> ProtectSystem=full ProtectHome=read-only PrivateTmp=yes PrivateDevices=yes +<%- if $disable_mlock == true { -%> +CapabilityBoundingSet=CAP_SYSLOG +<%- } else { -%> SecureBits=keep-caps +Capabilities=CAP_IPC_LOCK+ep AmbientCapabilities=CAP_IPC_LOCK CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK +<%- } -%> + NoNewPrivileges=yes Environment=GOMAXPROCS=<%= $num_procs %> -ExecStart=<%= $bin_dir %>/vault server -config=<%= $config_dir %>/vault.<%= $config_output %> +ExecStart=<%= $bin_dir %>/vault server -config=<%= $config_dir %>/vault.<%= $config_output %> <%= $service_options %> ExecReload=/bin/kill --signal HUP $MAINPID KillMode=process KillSignal=SIGINT