From 3709808fdc337b26a853dcb34023c2c1c539b17e Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 18 Feb 2021 16:42:54 +0100
Subject: [PATCH] redis: use /run instead or /var/run

---
 CHANGELOG.md                                  |  1 +
 redis/defaults/main.yml                       |  4 +--
 redis/tasks/instance-server.yml               | 17 +++++++--
 .../templates/redis-server@buster.service.j2  | 35 +++++++++++++++++++
 .../templates/redis-server@stretch.service.j2 |  2 +-
 5 files changed, 54 insertions(+), 5 deletions(-)
 create mode 100644 redis/templates/redis-server@buster.service.j2

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6dc8eba9..ccef7b7e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -27,6 +27,7 @@ The **patch** part changes incrementally at each release.
 * evoacme: upstream release 21.01
 * minifirewall: change some defaults
 * nagios-nrpe: update check_phpfpm_status.pl & install perl dependencies
+* redis: use /run instead or /var/run
 
 ### Fixed
 
diff --git a/redis/defaults/main.yml b/redis/defaults/main.yml
index 5cd311ce..93bbc741 100644
--- a/redis/defaults/main.yml
+++ b/redis/defaults/main.yml
@@ -9,10 +9,10 @@ redis_port: 6379
 redis_bind_interface: 127.0.0.1
 
 redis_socket_enabled: True
-redis_socket_dir_prefix: '/var/run/redis'
+redis_socket_dir_prefix: '/run/redis'
 redis_socket_perms: 770
 
-redis_pid_dir_prefix: "/var/run/redis"
+redis_pid_dir_prefix: "/run/redis"
 
 redis_timeout: 300
 
diff --git a/redis/tasks/instance-server.yml b/redis/tasks/instance-server.yml
index 5f4b2601..502adc8b 100644
--- a/redis/tasks/instance-server.yml
+++ b/redis/tasks/instance-server.yml
@@ -110,7 +110,7 @@
   tags:
     - redis
 
-- name: Systemd template for redis instances is installed (Debian 9 or later)
+- name: Systemd template for redis instances is installed (Debian 9)
   template:
     src: 'redis-server@stretch.service.j2'
     dest: '/etc/systemd/system/redis-server@.service'
@@ -119,7 +119,20 @@
     group: "root"
   when:
     - ansible_distribution == "Debian"
-    - ansible_distribution_major_version is version('9', '>=')
+    - ansible_distribution_major_version is version('9', '=')
+  tags:
+    - redis
+
+- name: Systemd template for redis instances is installed (Debian 10 or later)
+  template:
+    src: 'redis-server@buster.service.j2'
+    dest: '/etc/systemd/system/redis-server@.service'
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version is version('10', '>=')
   tags:
     - redis
 
diff --git a/redis/templates/redis-server@buster.service.j2 b/redis/templates/redis-server@buster.service.j2
new file mode 100644
index 00000000..3742e589
--- /dev/null
+++ b/redis/templates/redis-server@buster.service.j2
@@ -0,0 +1,35 @@
+[Unit]
+Description=Advanced key-value store
+After=network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/redis-server {{ redis_conf_dir_prefix }}-%i/redis.conf
+PIDFile=/run/redis-%i/redis-server.pid
+TimeoutStopSec=0
+Restart=always
+User=redis-%i
+Group=redis-%i
+RuntimeDirectory=redis-%i
+
+ExecStop=/bin/kill -s TERM $MAINPID
+
+UMask=007
+PrivateTmp=yes
+LimitNOFILE=65535
+PrivateDevices=yes
+ProtectHome={{ redis_data_dir_prefix is match('/home') | ternary('no', 'yes') }}
+ReadOnlyDirectories=/
+ReadWriteDirectories=-{{ redis_data_dir_prefix }}-%i
+ReadWriteDirectories=-{{ redis_log_dir_prefix }}-%i
+ReadWriteDirectories=-{{ redis_pid_dir_prefix }}-%i
+ReadWriteDirectories=-{{ redis_socket_dir_prefix }}-%i
+CapabilityBoundingSet=~CAP_SYS_PTRACE
+
+# redis-server writes its own config file when in cluster mode so we allow
+# writing there (NB. ProtectSystem=true over ProtectSystem=full)
+ProtectSystem=true
+ReadWriteDirectories=-{{ redis_conf_dir_prefix }}-%i
+
+[Install]
+WantedBy=multi-user.target
diff --git a/redis/templates/redis-server@stretch.service.j2 b/redis/templates/redis-server@stretch.service.j2
index 3f14a296..5126caad 100644
--- a/redis/templates/redis-server@stretch.service.j2
+++ b/redis/templates/redis-server@stretch.service.j2
@@ -5,7 +5,7 @@ After=network.target
 [Service]
 Type=forking
 ExecStart=/usr/bin/redis-server {{ redis_conf_dir_prefix }}-%i/redis.conf
-PIDFile=/var/run/redis-%i/redis-server.pid
+PIDFile=/run/redis-%i/redis-server.pid
 TimeoutStopSec=0
 Restart=always
 User=redis-%i