From aede37be1b70ed4e53081682a6ec4814c348cb49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Fri, 23 Jun 2023 17:33:17 +0200 Subject: Add new modules content. This module is designed differently. It makes no attempt to manage templates. It still attempts to manage machines, but this should probably move to Puppet tasks or similar, with the static configuration mostly doing cleanup. --- types/systemd/bind.pp | 12 +++++ types/systemd/nspawn.pp | 115 ++++++++++++++++++++++++++++++++++++++++++++ types/systemd/resourcelimit | 7 +++ 3 files changed, 134 insertions(+) create mode 100644 types/systemd/bind.pp create mode 100644 types/systemd/nspawn.pp create mode 100644 types/systemd/resourcelimit (limited to 'types') diff --git a/types/systemd/bind.pp b/types/systemd/bind.pp new file mode 100644 index 0000000..9554e9a --- /dev/null +++ b/types/systemd/bind.pp @@ -0,0 +1,12 @@ +type Nspawn::Systemd::Bind = Variant[ + String, + Tuple[String, String], + # TODO Typecheck options + Tuple[String, String, Array[String]], + Struct[{ + 'source' => String, + 'dest' => String, + # TODO Typecheck options + 'options' => Optional[Array[String]], + }], +] diff --git a/types/systemd/nspawn.pp b/types/systemd/nspawn.pp new file mode 100644 index 0000000..1b488c8 --- /dev/null +++ b/types/systemd/nspawn.pp @@ -0,0 +1,115 @@ +type Nspawn::Systemd::Nspawn = Struct[{ + 'Exec' => Struct[{ + 'Boot' => Optional[Boolean], + 'Ephemeral' => Optional[Boolean], + 'ProcessTwo' => Optional[Boolean], + 'Parameters' => Optional[Variant[ + String, + Array[String], + ]], + 'Environment' => Optional[Hash[String, String]], + 'User' => Optional[String], + 'WorkingDirectory' => Optional[Stdlib::Unixpath], + 'PivotRoot' => Optional[Stdlib::Unixpath], + 'Capability' => Optional[Variant[Enum['all'], Array[String]]], + 'DropCapability' => Optional[Variant[Enum['all'], Array[String]]], + 'AmbientCapability' => Optional[Array[String]], + 'NoNewPrivileges' => Optional[Boolean], + # See signal(7) for valid signals + 'KillSignal' => Optional[String], + 'Personality' => Optional[Enum['x86', 'x86-64']], + 'MachineID' => Optional[Pattern[/\A[A-fa-f0-9]{32}\Z/]], + 'PrivateUsers' => Optional[Variant[ + Integer, + Tuple[Integer, Integer], + Boolean, + Enum['yes', 'no', 'identity', 'pick'] + ]], + 'NotifyReady' => Optional[Boolean], + # If first element is '~', then this is a blacklist + 'SystemCallFilter' => Optional[Array[String]], + 'LimitCPU' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitFSIZE' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitDATA' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitSTACK' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitCORE' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitRSS' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitNOFILE' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitAS' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitNPROC' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitMEMLOCK' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitLOCKS' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitSIGPENDING' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitMSGQUEUE' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitNICE' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitRTPRIO' => Optional[Nspawn::Systemd::ResourceLimit], + 'LimitRTTIME' => Optional[Nspawn::Systemd::ResourceLimit], + 'OOMScoreAdjust' => Optional[Integer[-1000, 1000]], + 'CPUAffinity' => Optional[Array[Variant[Integer, Tuple[Integer, Integer]]]], + 'Hostname' => Optional[String], + 'ResolvConf' => Optional[Enum[ + 'off', + 'copy-host', + 'copy-static', + 'copy-uplink', + 'copy-stub', + 'replace-host', + 'replace-static', + 'replace-uplink', + 'replace-stub', + 'bind-host', + 'bind-static', + 'bind-uplink', + 'bind-stub', + 'delete', + 'auto', + ]], + 'Timezone' => Optional[Enum[ + 'off', + 'copy', + 'bind', + 'symlink', + 'delete', + 'auto', + ]], + 'LinkJournal' => Optional[Enum[ + 'no', + 'host', + 'try-host', + 'guest', + 'try-guest', + 'auto', + ]], + }], + 'Files' => Struct[{ + 'ReadOnly' => Optional[Boolean], + 'Volatile' => Optional[Variant[Boolean, Enum['state']]], + 'Bind' => Optional[Array[Nspawn::Systemd::Bind]], + 'BindReadOnly' => Optional[Array[Nspawn::Systemd::Bind]], + # TODO Can binduser appear multiple times? + 'BindUser' => Optional[Array[String]], + # TODO Can tmpfs appear multiple times? + # TODO options type + 'TemporaryFileSystem' => Optional[Array[Variant[String, Tuple[String, String]]]], + 'Inaccessible' => Optional[Array[Stdlib::Unixpath]], + 'Overlay' => Optional[Array[Array[String, 2]]], + 'OverlayReadOnly' => Optional[Array[Array[String, 2]]], + 'PrivateUsersOwnership' => Optional[Enum['off', 'chown', 'map', 'auto']], + }], + 'Network' => Struct[{ + 'Private' => Optional[Boolean], + 'VirtualEthernet' => Optional[Boolean], + 'VirtualEthernetExtra' => Optional[Array[Variant[String, Tuple[String, String]]]], + 'Interface' => Optional[Array[String]], + 'MACVLAN' => Optional[Array[String]], + 'IPVLAN' => Optional[Array[String]], + 'Bridge' => Optional[String], + 'Zone' => Optional[String], + 'Port' => Optional[Array[Variant[ + Tuple[Enum['tcp', 'udp'], Stdlib::Port, Stdlib::Port], + Tuple[Enum['tcp', 'udp'], Stdlib::Port], + Tuple[Stdlib::Port, Stdlib::Port], + Tuple[Stdlib::Port], + ]]], + }], +}] diff --git a/types/systemd/resourcelimit b/types/systemd/resourcelimit new file mode 100644 index 0000000..3558fb5 --- /dev/null +++ b/types/systemd/resourcelimit @@ -0,0 +1,7 @@ +type Nspawn::Systemd::ResourceLimit = Variant[ + Variant[Integer, enum['infinity']], + Tuple[ + Variant[Integer, enum['infinity']], + Variant[Integer, enum['infinity']], + ] +] -- cgit v1.2.3