burp-client: Switch from cron to systemd timer
systemd timer units are supported on all relevant OS versions now. There is no longer any reason to use cron.
This commit is contained in:
@@ -1 +0,0 @@
|
||||
18,48 * * * * root /usr/sbin/burp -a t -Q
|
||||
@@ -1 +0,0 @@
|
||||
@mail(no) 30 /usr/sbin/burp -a t
|
||||
27
roles/burp-client/files/burp-backup.service
Normal file
27
roles/burp-client/files/burp-backup.service
Normal file
@@ -0,0 +1,27 @@
|
||||
# vim: set ft=systemd :
|
||||
[Unit]
|
||||
Description=BURP client
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=exec
|
||||
ExecStart=/usr/sbin/burp -a t -Q
|
||||
SuccessExitStatus=3
|
||||
CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
|
||||
CapabilityBoundingSet=CAP_FOWNER CAP_LEASE CAP_SETGID CAP_SETUID
|
||||
NoNewPrivileges=yes
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProcSubset=pid
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectProc=noaccess
|
||||
ProtectSystem=full
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service @privileged @mount
|
||||
SystemCallFilter=~@clock @debug @module @reboot @swap
|
||||
10
roles/burp-client/files/burp-backup.timer
Normal file
10
roles/burp-client/files/burp-backup.timer
Normal file
@@ -0,0 +1,10 @@
|
||||
# vim: set ft=systemd :
|
||||
[Unit]
|
||||
Description=Periodically run BURP client
|
||||
|
||||
[Timer]
|
||||
OnCalendar=*:18
|
||||
OnCalendar=*:48
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
@@ -1,2 +1,3 @@
|
||||
- name: reload system crontab
|
||||
command: /usr/libexec/check_system_crontabs -v -i
|
||||
- name: reload systemd
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
|
||||
@@ -49,8 +49,28 @@
|
||||
command:
|
||||
burp -c /etc/burp/burp.conf -g
|
||||
creates=/etc/burp/ssl_cert-client.pem
|
||||
- name: ensure automatic backup is scheduled
|
||||
|
||||
- name: ensure auto backup systemd units are installed
|
||||
copy:
|
||||
src={{ burp_backup_crontab }}
|
||||
dest=/etc/cron.d/burp-backup
|
||||
mode=0644
|
||||
src: '{{ item }}'
|
||||
dest: /etc/systemd/system/
|
||||
mode: u=rw,go=r
|
||||
loop:
|
||||
- burp-backup.service
|
||||
- burp-backup.timer
|
||||
notify:
|
||||
- reload systemd
|
||||
tags:
|
||||
- systemd
|
||||
- name: ensure auto backup timer is enabled
|
||||
systemd:
|
||||
name: burp-backup.timer
|
||||
enabled: true
|
||||
state: started
|
||||
tags:
|
||||
- service
|
||||
|
||||
- name: ensure legacy burp crontab file is removed
|
||||
file:
|
||||
path: /etc/cron.d/burp-backup
|
||||
state: absent
|
||||
|
||||
Reference in New Issue
Block a user