From e8a8e8581923aae6c5d680409100517c6438754a Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Sat, 1 May 2021 22:25:38 +0200
Subject: [PATCH] redis: instance service for Debian 11

---
 CHANGELOG.md                                  |  5 +++
 .../redis-server@bullseye.service.j2          | 45 +++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 redis/templates/redis-server@bullseye.service.j2

diff --git a/CHANGELOG.md b/CHANGELOG.md
index be32015f..b5ca4ab5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,8 +13,13 @@ The **patch** part changes incrementally at each release.
 ### Added
 
 * Preliminary support for Debian 11 « Bullseye »
+* apache: new variable for mpm mode (+ updated default config accordingly)
 * certbot: add script for manual deploy hooks execution
+* evolinux-base: add default motd template
+* kvm-host: add migrate-vm script
 * listupgrade: crontab is configurable
+* mysql: variable to disable myadd script overwrite (default: True)
+* redis: instance service for Debian 11
 
 ### Changed
 
diff --git a/redis/templates/redis-server@bullseye.service.j2 b/redis/templates/redis-server@bullseye.service.j2
new file mode 100644
index 00000000..623eb919
--- /dev/null
+++ b/redis/templates/redis-server@bullseye.service.j2
@@ -0,0 +1,45 @@
+[Unit]
+Description=Advanced key-value store
+After=network.target
+Documentation=http://redis.io/documentation, man:redis-server(1)
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/redis-server {{ redis_conf_dir_prefix }}-%i/redis.conf --supervised systemd --daemonize no
+PIDFile=/run/redis-%i/redis-server.pid
+TimeoutStopSec=0
+Restart=always
+User=redis-%i
+Group=redis-%i
+RuntimeDirectory=redis-%i
+RuntimeDirectoryMode=2755
+
+UMask=007
+PrivateTmp=yes
+LimitNOFILE=65535
+PrivateDevices=yes
+ProtectHome={{ redis_data_dir_prefix is match('/home') | ternary('no', 'yes') }}
+ReadOnlyDirectories=/
+ReadWritePaths=-{{ redis_data_dir_prefix }}-%i
+ReadWritePaths=-{{ redis_log_dir_prefix }}-%i
+ReadWritePaths=-{{ redis_pid_dir_prefix }}-%i
+ReadWritePaths=-{{ redis_socket_dir_prefix }}-%i
+
+NoNewPrivileges=true
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+MemoryDenyWriteExecute=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# redis-server can write to its own config file when in cluster mode so we
+# permit writing there by default. If you are not using this feature, it is
+# recommended that you replace the following lines with "ProtectSystem=full".
+ProtectSystem=true
+ReadWriteDirectories=-{{ redis_conf_dir_prefix }}-%i
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file