burp-client: Switch from cron to systemd timer

systemd timer units are supported on all relevant OS versions now. There is no longer any reason to use cron.
2023-04-06 22:49:49 -05:00 · 2023-04-06 22:49:49 -05:00 · 66d0a9157f
parent cd1f7b354b
commit 66d0a9157f
7 changed files with 64 additions and 9 deletions
--- a/burp-client.yml
+++ b/burp-client.yml
@ -1,4 +1,3 @@
 - hosts: burp-client
  roles:
-  - cronie
  - burp-client
--- a/roles/burp-client/files/burp-backup.cron
+++ b/roles/burp-client/files/burp-backup.cron
@ -1 +0,0 @@
-18,48 * * * * root /usr/sbin/burp -a t -Q
--- a/roles/burp-client/files/burp-backup.fcron
+++ b/roles/burp-client/files/burp-backup.fcron
@ -1 +0,0 @@
-@mail(no) 30 /usr/sbin/burp -a t
--- a/roles/burp-client/files/burp-backup.service
+++ b/roles/burp-client/files/burp-backup.service
@ -0,0 +1,27 @@
+# vim: set ft=systemd :
+[Unit]
+Description=BURP client
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=exec
+ExecStart=/usr/sbin/burp -a t -Q
+SuccessExitStatus=3
+CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_FOWNER CAP_LEASE CAP_SETGID CAP_SETUID
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=noaccess
+ProtectSystem=full
+SystemCallArchitectures=native
+SystemCallFilter=@system-service @privileged @mount
+SystemCallFilter=~@clock @debug @module @reboot @swap
--- a/roles/burp-client/files/burp-backup.timer
+++ b/roles/burp-client/files/burp-backup.timer
@ -0,0 +1,10 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Periodically run BURP client
+
+[Timer]
+OnCalendar=*:18
+OnCalendar=*:48
+
+[Install]
+WantedBy=timers.target
--- a/roles/burp-client/handlers/main.yml
+++ b/roles/burp-client/handlers/main.yml
@ -1,2 +1,3 @@
- name: reload system crontab
-  command: /usr/libexec/check_system_crontabs -v -i
+- name: reload systemd
+  systemd:
+    daemon_reload: true
--- a/roles/burp-client/tasks/main.yml
+++ b/roles/burp-client/tasks/main.yml
@ -49,8 +49,28 @@
  command:
    burp -c /etc/burp/burp.conf -g
    creates=/etc/burp/ssl_cert-client.pem
- name: ensure automatic backup is scheduled
+
+- name: ensure auto backup systemd units are installed
  copy:
-    src={{ burp_backup_crontab }}
-    dest=/etc/cron.d/burp-backup
-    mode=0644
+    src: '{{ item }}'
+    dest: /etc/systemd/system/
+    mode: u=rw,go=r
+  loop:
+  - burp-backup.service
+  - burp-backup.timer
+  notify:
+  - reload systemd
+  tags:
+  - systemd
+- name: ensure auto backup timer is enabled
+  systemd:
+    name: burp-backup.timer
+    enabled: true
+    state: started
+  tags:
+  - service
+
+- name: ensure legacy burp crontab file is removed
+  file:
+    path: /etc/cron.d/burp-backup
+    state: absent