From 41b1edf21c531ee0def59463c5a415af24875d30 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sun, 26 Feb 2017 12:05:01 +0000
Subject: [PATCH] Modernise some older systemd services

---
 cookbooks/chef/recipes/server.rb    | 1 +
 cookbooks/kibana/recipes/default.rb | 6 ++++++
 cookbooks/squid/recipes/default.rb  | 5 +++++
 cookbooks/tile/recipes/default.rb   | 3 +++
 cookbooks/web/recipes/cgimap.rb     | 1 +
 cookbooks/web/recipes/rails.rb      | 1 +
 6 files changed, 17 insertions(+)

diff --git a/cookbooks/chef/recipes/server.rb b/cookbooks/chef/recipes/server.rb
index 8edf4e559..ee27718f9 100644
--- a/cookbooks/chef/recipes/server.rb
+++ b/cookbooks/chef/recipes/server.rb
@@ -73,6 +73,7 @@ end
 
 service "chef-server" do
   action [:enable, :start]
+  subscribes :restart, "systemd_service[chef-server]"
 end
 
 apache_module "alias"
diff --git a/cookbooks/kibana/recipes/default.rb b/cookbooks/kibana/recipes/default.rb
index 788e95513..adc39270d 100644
--- a/cookbooks/kibana/recipes/default.rb
+++ b/cookbooks/kibana/recipes/default.rb
@@ -68,6 +68,11 @@ systemd_service "kibana@" do
   after "network.target"
   user "kibana"
   exec_start "/opt/kibana-#{version}/bin/kibana -c /etc/kibana/%i.yml"
+  private_tmp true
+  private_devices true
+  protect_system "full"
+  protect_home true
+  no_new_privileges true
   restart "on-failure"
 end
 
@@ -89,6 +94,7 @@ node[:kibana][:sites].each do |name, details|
   service "kibana@#{name}" do
     action [:enable, :start]
     supports :status => true, :restart => true, :reload => false
+    subscribes :restart, "systemd_service[kibana@]"
   end
 
   ssl_certificate details[:site] do
diff --git a/cookbooks/squid/recipes/default.rb b/cookbooks/squid/recipes/default.rb
index def3d9187..731cbdd83 100644
--- a/cookbooks/squid/recipes/default.rb
+++ b/cookbooks/squid/recipes/default.rb
@@ -50,6 +50,11 @@ systemd_service "squid" do
   exec_start "/usr/sbin/squid -N $SQUID_ARGS"
   exec_reload "/usr/sbin/squid -k reconfigure"
   exec_stop "/usr/sbin/squid -k shutdown"
+  private_tmp true
+  private_devices true
+  protect_system "full"
+  protect_home true
+  no_new_privileges true
   restart "on-failure"
   timeout_sec 0
 end
diff --git a/cookbooks/tile/recipes/default.rb b/cookbooks/tile/recipes/default.rb
index 2e19e9b0e..7d75087c9 100644
--- a/cookbooks/tile/recipes/default.rb
+++ b/cookbooks/tile/recipes/default.rb
@@ -76,11 +76,13 @@ systemd_service "renderd" do
   private_network true
   protect_system "full"
   protect_home true
+  no_new_privileges true
   restart "on-failure"
 end
 
 service "renderd" do
   action [:enable, :start]
+  subscribes :restart, "systemd_service[renderd]"
 end
 
 directory "/srv/tile.openstreetmap.org/tiles" do
@@ -468,6 +470,7 @@ systemd_service "replicate" do
   private_devices true
   protect_system "full"
   protect_home true
+  no_new_privileges true
   restart "on-failure"
 end
 
diff --git a/cookbooks/web/recipes/cgimap.rb b/cookbooks/web/recipes/cgimap.rb
index 7fb417b38..0875804cd 100644
--- a/cookbooks/web/recipes/cgimap.rb
+++ b/cookbooks/web/recipes/cgimap.rb
@@ -58,6 +58,7 @@ systemd_service "cgimap" do
   private_devices true
   protect_system "full"
   protect_home true
+  no_new_privileges true
   restart "on-failure"
   pid_file "#{node[:web][:pid_directory]}/cgimap.pid"
 end
diff --git a/cookbooks/web/recipes/rails.rb b/cookbooks/web/recipes/rails.rb
index 77017b735..725f3b746 100644
--- a/cookbooks/web/recipes/rails.rb
+++ b/cookbooks/web/recipes/rails.rb
@@ -119,6 +119,7 @@ systemd_service "api-statistics" do
   private_network true
   protect_system "full"
   protect_home true
+  no_new_privileges true
   restart "on-failure"
 end
 
-- 
2.39.5