From b6bcff0265f883a71fd7d23df5075977c85c1b45 Mon Sep 17 00:00:00 2001 From: Pig Monkey Date: Thu, 31 Mar 2016 20:17:39 -0700 Subject: [PATCH] jail mpd Ansible doesn't seem to have a way to interact with systemd user instances. All the prep is done, but the user still needs to manually enable and start the mpd user service. $ systemd --user enable mpd.service $ systemd --user start mpd.service Alternatively, the user could include mpd in their shell profile, xinitrc, or just call it whenever they want it to run. We jail mpd in /usr/local/bin, just like everything else. $ mpd --- playbook.yml | 1 + roles/media/tasks/main.yml | 1 - roles/media/tasks/mpd.yml | 15 ----------- roles/mpd/files/firejail/mpd.profile | 7 +++++ roles/mpd/files/mpd-service-override.conf | 3 +++ roles/mpd/meta/main.yml | 4 +++ roles/mpd/tasks/main.yml | 33 +++++++++++++++++++++++ 7 files changed, 48 insertions(+), 16 deletions(-) delete mode 100644 roles/media/tasks/mpd.yml create mode 100644 roles/mpd/files/firejail/mpd.profile create mode 100644 roles/mpd/files/mpd-service-override.conf create mode 100644 roles/mpd/meta/main.yml create mode 100644 roles/mpd/tasks/main.yml diff --git a/playbook.yml b/playbook.yml index a53444d..e965554 100644 --- a/playbook.yml +++ b/playbook.yml @@ -22,6 +22,7 @@ - { role: editors, tags: ['editors'] } - { role: browsers, tags: ['browsers'] } - { role: media, tags: ['media'] } + - { role: mpd, tags: ['mpd'] } - { role: mpv, tags: ['mpv'] } - { role: pianobar, tags: ['pianobar'] } - { role: laptop, tags: ['laptop'] } diff --git a/roles/media/tasks/main.yml b/roles/media/tasks/main.yml index f704f6e..d12fd6c 100644 --- a/roles/media/tasks/main.yml +++ b/roles/media/tasks/main.yml @@ -1,5 +1,4 @@ --- -- include: mpd.yml - include: beets.yml - include: abcde.yml - include: xfburn.yml diff --git a/roles/media/tasks/mpd.yml b/roles/media/tasks/mpd.yml deleted file mode 100644 index d0c7045..0000000 --- a/roles/media/tasks/mpd.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Install mpd - pacman: name=mpd state=present - tags: - - mpd - -- name: Install mpc - pacman: name=mpc state=present - tags: - - mpd - -- name: Install ncmpcpp - pacman: name=ncmpcpp state=present - tags: - - mpd diff --git a/roles/mpd/files/firejail/mpd.profile b/roles/mpd/files/firejail/mpd.profile new file mode 100644 index 0000000..0f6688b --- /dev/null +++ b/roles/mpd/files/firejail/mpd.profile @@ -0,0 +1,7 @@ +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-common.inc +protocol unix,inet,inet6,netlink +seccomp + +whitelist ~/.config/mpd +whitelist ~/audio diff --git a/roles/mpd/files/mpd-service-override.conf b/roles/mpd/files/mpd-service-override.conf new file mode 100644 index 0000000..f45a782 --- /dev/null +++ b/roles/mpd/files/mpd-service-override.conf @@ -0,0 +1,3 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/firejail /usr/bin/mpd --no-daemon diff --git a/roles/mpd/meta/main.yml b/roles/mpd/meta/main.yml new file mode 100644 index 0000000..ee895d1 --- /dev/null +++ b/roles/mpd/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - { role: firejail } + - { role: systemd } diff --git a/roles/mpd/tasks/main.yml b/roles/mpd/tasks/main.yml new file mode 100644 index 0000000..0994b86 --- /dev/null +++ b/roles/mpd/tasks/main.yml @@ -0,0 +1,33 @@ +--- +- name: Install mpd + pacman: name=mpd state=present + +- name: Jail mpd + file: src=/usr/bin/firejail + dest=/usr/local/bin/mpd + state=link + tags: + - firejail + +- name: Push mpd firejail profile + copy: src=firejail/mpd.profile dest=/usr/local/etc/firejail/mpd.profile + tags: + - firejail + +- name: Create mpd systemd unit file directory + file: path=/etc/systemd/user/mpd.service.d state=directory + tags: + - firejail + +- name: Push mpd socket unit file + copy: src=mpd-service-override.conf dest=/etc/systemd/user/mpd.service.d/override.conf + notify: + - reload systemd config + tags: + - firejail + +- name: Install mpc + pacman: name=mpc state=present + +- name: Install ncmpcpp + pacman: name=ncmpcpp state=present