redis: instance service for Debian 11

2021-05-01 22:25:38 +02:00 · 2021-05-01 22:25:38 +02:00 · e8a8e85819
parent c5ab0c0ff9
commit e8a8e85819
2 changed files with 50 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -13,8 +13,13 @@ The **patch** part changes incrementally at each release.
 ### Added

 * Preliminary support for Debian 11 « Bullseye »
+* apache: new variable for mpm mode (+ updated default config accordingly)
 * certbot: add script for manual deploy hooks execution
+* evolinux-base: add default motd template
+* kvm-host: add migrate-vm script
 * listupgrade: crontab is configurable
+* mysql: variable to disable myadd script overwrite (default: True)
+* redis: instance service for Debian 11

 ### Changed

--- a/redis/templates/redis-server@bullseye.service.j2
+++ b/redis/templates/redis-server@bullseye.service.j2
@ -0,0 +1,45 @@
+[Unit]
+Description=Advanced key-value store
+After=network.target
+Documentation=http://redis.io/documentation, man:redis-server(1)
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/redis-server {{ redis_conf_dir_prefix }}-%i/redis.conf --supervised systemd --daemonize no
+PIDFile=/run/redis-%i/redis-server.pid
+TimeoutStopSec=0
+Restart=always
+User=redis-%i
+Group=redis-%i
+RuntimeDirectory=redis-%i
+RuntimeDirectoryMode=2755
+
+UMask=007
+PrivateTmp=yes
+LimitNOFILE=65535
+PrivateDevices=yes
+ProtectHome={{ redis_data_dir_prefix is match('/home') | ternary('no', 'yes') }}
+ReadOnlyDirectories=/
+ReadWritePaths=-{{ redis_data_dir_prefix }}-%i
+ReadWritePaths=-{{ redis_log_dir_prefix }}-%i
+ReadWritePaths=-{{ redis_pid_dir_prefix }}-%i
+ReadWritePaths=-{{ redis_socket_dir_prefix }}-%i
+
+NoNewPrivileges=true
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+MemoryDenyWriteExecute=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# redis-server can write to its own config file when in cluster mode so we
+# permit writing there by default. If you are not using this feature, it is
+# recommended that you replace the following lines with "ProtectSystem=full".
+ProtectSystem=true
+ReadWriteDirectories=-{{ redis_conf_dir_prefix }}-%i
+
+[Install]
+WantedBy=multi-user.target