Manage {system,user}.conf

Author: Yury Bushmelev

manifests/init.pp

@@ -219,6 +219,22 @@
 #
 # @param udev_purge_rules
 #   Toggle if unmanaged files in /etc/udev/rules.d should be purged if manage_udevd is enabled
+#
+# @param manage_system_conf
+#   Should system service manager configurations be managed
+#
+# @param system_settings
+#   Config Hash that is used to configure settings in system.conf
+#   NOTE: It's currently impossible to have multiple entries of the same key in
+#   the settings.
+#
+# @param manage_user_conf
+#   Should user service manager configurations be managed
+#
+# @param user_settings
+#   Config Hash that is used to configure settings in user.conf
+#   NOTE: It's currently impossible to have multiple entries of the same key in
+#   the settings.
 class systemd (
   Optional[Pattern['^.+\.target$']]                   $default_target = undef,
   Hash[String,String]                                 $accounting = {},
@@ -284,6 +300,10 @@
   Enum['stopped','running']                           $oomd_ensure = 'running',
   Systemd::OomdSettings                               $oomd_settings = {},
   Boolean                                             $udev_purge_rules = false,
+  Boolean                                             $manage_system_conf = true,
+  Systemd::SystemSettings                             $system_settings = {},
+  Boolean                                             $manage_user_conf = true,
+  Systemd::SystemSettings                             $user_settings = {},
 ) {
   contain systemd::install
 
@@ -347,8 +367,8 @@
     contain systemd::udevd
   }
 
-  if $manage_accounting {
-    contain systemd::system
+  if $manage_accounting or $manage_system_conf or $manage_user_conf {
+    contain systemd::service_manager
   }
 
   unless empty($machine_info_settings) {

manifests/service_manager.pp

@@ -0,0 +1,53 @@
+# @api private
+#
+# This class provides a solution to manage system and/or user service manager settings.
+# @see https://www.freedesktop.org/software/systemd/man/latest/systemd-system.conf.html
+#
+# @param manage_system_conf
+#   Should system service manager configurations be managed
+#
+# @param system_settings
+#   Config Hash that is used to configure settings in system.conf
+#   NOTE: It's currently impossible to have multiple entries of the same key in
+#   the settings.
+#
+# @param manage_user_conf
+#   Should user service manager configurations be managed
+#
+# @param user_settings
+#   Config Hash that is used to configure settings in user.conf
+#   NOTE: It's currently impossible to have multiple entries of the same key in
+#   the settings.
+#
+class systemd::service_manager (
+  Boolean $manage_system_conf = $systemd::manage_system_conf,
+  Boolean $manage_user_conf = $systemd::manage_user_conf,
+  Systemd::ServiceManagerSettings $system_settings = $systemd::system_settings + $systemd::accounting,
+  Systemd::ServiceManagerSettings $user_settings = $systemd::user_settings,
+) {
+  assert_private()
+
+  if $manage_system_conf {
+    $system_settings.each |$option, $value| {
+      ini_setting { "system/${option}":
+        ensure  => 'present',
+        path    => '/etc/systemd/system.conf',
+        section => 'Manager',
+        setting => $option,
+        value   => $value,
+      }
+    }
+  }
+
+  if $manage_user_conf {
+    $user_settings.each |$option, $value| {
+      ini_setting { "user/${option}":
+        ensure  => 'present',
+        path    => '/etc/systemd/user.conf',
+        section => 'Manager',
+        setting => $option,
+        value   => $value,
+      }
+    }
+  }
+}

manifests/system.pp

@@ -0,0 +1,2 @@
+# @summary Defines allowed capabilities
+type Systemd::Capabilities = Variant[Pattern[/^~?(CAP_[A-Z_]+ *)+$/]]

types/capabilities.pp

@@ -0,0 +1,2 @@
+# @summary Defines allowed log levels
+type Systemd::LogLevel = Variant[Enum['emerg','alert','crit','err','warning','notice','info','debug'], Integer[0,7]]

types/loglevel.pp

@@ -0,0 +1,3 @@
+# @summary Defines allowed output values
+# Used in DefaultStandardOutput/DefaultStandardError e.g.
+type Systemd::Output = Enum['inherit', 'null', 'tty', 'journal', 'journal+console', 'kmsg', 'kmsg+console']

types/output.pp

@@ -0,0 +1,76 @@
+# @summary Matches Systemd system.conf/user.conf settings
+# @see https://www.freedesktop.org/software/systemd/man/latest/systemd-system.conf.html
+type Systemd::ServiceManagerSettings = Struct[
+  # lint:ignore:140chars
+  {
+    Optional['LogLevel'] => Variant[Systemd::LogLevel, Systemd::SettingEnsure],
+    Optional['LogTarget'] => Variant[Enum['console','console-prefixed','kmsg','journal','journal-or-kmsg','auto','null'], Systemd::SettingEnsure],
+    Optional['LogColor'] => Variant[Boolean, Systemd::SettingEnsure],
+    Optional['LogLocation'] => Variant[Boolean, Systemd::SettingEnsure],
+    Optional['LogTime'] => Variant[Boolean, Systemd::SettingEnsure],
+    Optional['DumpCore'] => Variant[Boolean, Systemd::SettingEnsure],
+    Optional['ShowStatus'] => Variant[Boolean, Enum['auto','error'], Systemd::SettingEnsure],
+    Optional['CrashChangeVT'] => Variant[Boolean, Integer[1,63], Systemd::SettingEnsure],
+    Optional['CrashShell'] => Variant[Boolean, Systemd::SettingEnsure],
+    Optional['CrashReboot'] => Variant[Boolean, Systemd::SettingEnsure], # Obsoleted by CrashAction in v256, delete after Debian 12 EOL
+    Optional['CrashAction'] => Variant[Enum['freeze', 'reboot', 'poweroff'], Systemd::SettingEnsure],
+    Optional['CtrlAltDelBurstAction'] => Variant[Enum['reboot-force','poweroff-force','reboot-immediate','poweroff-immediate','none'], Systemd::SettingEnsure],
+    Optional['CPUAffinity'] => Variant[Enum['numa'], Pattern['^[0-9, -]+$'], Systemd::SettingEnsure],
+    Optional['NUMAPolicy'] => Variant[Enum['default','preferred','bind','interleave','local'], Systemd::SettingEnsure],
+    Optional['NUMAMask'] => Variant[Enum['all'], Pattern['^[0-9, -]+$'], Systemd::SettingEnsure],
+    Optional['RuntimeWatchdogSec'] => Variant[Enum['off','default'], Systemd::Timespan, Systemd::SettingEnsure],
+    Optional['RuntimeWatchdogPreSec'] => Variant[Enum['off'], Systemd::Timespan, Systemd::SettingEnsure],
+    Optional['RuntimeWatchdogPreGovernor'] => Variant[Enum['noop', 'panic'], String[1], Systemd::SettingEnsure],
+    Optional['RebootWatchdogSec'] => Variant[Enum['off','default'], Systemd::Timespan, Systemd::SettingEnsure],
+    Optional['KExecWatchdogSec'] => Variant[Enum['off','default'], Systemd::Timespan, Systemd::SettingEnsure],
+    Optional['WatchdogDevice'] => Variant[Stdlib::Absolutepath, Systemd::SettingEnsure],
+    Optional['CapabilityBoundingSet'] => Variant[Systemd::Capabilities, Systemd::SettingEnsure],
+    Optional['NoNewPrivileges'] => Variant[Boolean, Systemd::SettingEnsure],
+    Optional['ProtectSystem'] => Variant[Enum['auto'], Boolean, Systemd::SettingEnsure],
+    Optional['SystemCallArchitectures'] => Variant[String[1], Systemd::SettingEnsure],
+    Optional['TimerSlackNSec'] => Variant[Systemd::Timespan, Systemd::SettingEnsure],
+    Optional['StatusUnitFormat'] => Variant[Enum['combined','description','name'], Systemd::SettingEnsure],
+    Optional['DefaultTimerAccuracySec'] => Variant[Systemd::Timespan, Systemd::SettingEnsure],
+    Optional['DefaultStandardOutput'] => Variant[Systemd::Output, Systemd::SettingEnsure],
+    Optional['DefaultStandardError'] => Variant[Systemd::Output, Systemd::SettingEnsure],
+    Optional['DefaultTimeoutStartSec'] => Variant[Systemd::Timespan, Systemd::SettingEnsure],
+    Optional['DefaultTimeoutStopSec'] => Variant[Systemd::Timespan, Systemd::SettingEnsure],
+    Optional['DefaultTimeoutAbortSec'] => Variant[Systemd::Timespan, Systemd::SettingEnsure],
+    Optional['DefaultDeviceTimeoutSec'] => Variant[Systemd::Timespan, Systemd::SettingEnsure],
+    Optional['DefaultRestartSec'] => Variant[Systemd::Timespan, Systemd::SettingEnsure],
+    Optional['DefaultStartLimitIntervalSec'] => Variant[Enum['infinity'], Systemd::Timespan, Systemd::SettingEnsure],
+    Optional['DefaultStartLimitBurst'] => Variant[Integer[0], Systemd::SettingEnsure],
+    Optional['DefaultEnvironment'] => Variant[String, Systemd::SettingEnsure],
+    Optional['ManagerEnvironment'] => Variant[String, Systemd::SettingEnsure],
+    Optional['DefaultCPUAccounting'] => Variant[Boolean, Systemd::SettingEnsure],
+    Optional['DefaultBlockIOAccounting'] => Variant[Boolean, Systemd::SettingEnsure], # Deprecated in v252. Delete after Debian 11 EOL
+    Optional['DefaultIOAccounting'] => Variant[Boolean, Systemd::SettingEnsure],
+    Optional['DefaultIPAccounting'] => Variant[Boolean, Systemd::SettingEnsure],
+    Optional['DefaultMemoryAccounting'] => Variant[Boolean, Systemd::SettingEnsure],
+    Optional['DefaultTasksAccounting'] => Variant[Boolean, Systemd::SettingEnsure],
+    Optional['DefaultTasksMax'] => Variant[Enum[infinity], Integer[0], Systemd::Unit::Percent, Systemd::SettingEnsure],
+    Optional['DefaultLimitCPU'] => Variant[Pattern['^\d+(s|m|h|d|w|M|y)?(:\d+(s|m|h|d|w|M|y)?)?$'], Systemd::SettingEnsure],
+    Optional['DefaultLimitFSIZE'] => Variant[Pattern['^(infinity|((\d+(K|M|G|T|P|E)?(:\d+(K|M|G|T|P|E)?)?)))$'], Systemd::SettingEnsure],
+    Optional['DefaultLimitDATA'] => Variant[Pattern['^(infinity|((\d+(K|M|G|T|P|E)?(:\d+(K|M|G|T|P|E)?)?)))$'], Systemd::SettingEnsure],
+    Optional['DefaultLimitSTACK'] => Variant[Pattern['^(infinity|((\d+(K|M|G|T|P|E)?(:\d+(K|M|G|T|P|E)?)?)))$'], Systemd::SettingEnsure],
+    Optional['DefaultLimitCORE'] => Variant[Pattern['^(infinity|((\d+(K|M|G|T|P|E)?(:\d+(K|M|G|T|P|E)?)?)))$'], Systemd::SettingEnsure],
+    Optional['DefaultLimitRSS'] => Variant[Pattern['^(infinity|((\d+(K|M|G|T|P|E)?(:\d+(K|M|G|T|P|E)?)?)))$'], Systemd::SettingEnsure],
+    Optional['DefaultLimitNOFILE'] => Variant[Integer[-1], Pattern['^(infinity|\d+(:(infinity|\d+))?)$'], Systemd::SettingEnsure],
+    Optional['DefaultLimitAS'] => Variant[Pattern['^(infinity|((\d+(K|M|G|T|P|E)?(:\d+(K|M|G|T|P|E)?)?)))$'], Systemd::SettingEnsure],
+    Optional['DefaultLimitNPROC'] => Variant[Integer[-1],Pattern['^(infinity|\d+(:(infinity|\d+))?)$'], Systemd::SettingEnsure],
+    Optional['DefaultLimitMEMLOCK'] => Variant[Pattern['^(infinity|((\d+(K|M|G|T|P|E)?(:\d+(K|M|G|T|P|E)?)?)))$'], Systemd::SettingEnsure],
+    Optional['DefaultLimitLOCKS'] => Variant[Integer[1], Systemd::SettingEnsure],
+    Optional['DefaultLimitSIGPENDING'] => Variant[Integer[1], Systemd::SettingEnsure],
+    Optional['DefaultLimitMSGQUEUE'] => Variant[Pattern['^(infinity|((\d+(K|M|G|T|P|E)?(:\d+(K|M|G|T|P|E)?)?)))$'], Systemd::SettingEnsure],
+    Optional['DefaultLimitNICE'] => Variant[Integer[0,40], Pattern['^(-\+([0-1]?[0-9]|20))|([0-3]?[0-9]|40)$'], Systemd::SettingEnsure],
+    Optional['DefaultLimitRTPRIO'] => Variant[Integer[0], Systemd::SettingEnsure],
+    Optional['DefaultLimitRTTIME'] => Variant[Pattern['^\d+(ms|s|m|h|d|w|M|y)?(:\d+(ms|s|m|h|d|w|M|y)?)?$'], Systemd::SettingEnsure],
+    Optional['DefaultOOMPolicy'] => Variant[Enum['continue', 'stop','kill'], Systemd::SettingEnsure],
+    Optional['DefaultSmackProcessLabel'] => Variant[String, Systemd::SettingEnsure],
+    Optional['ReloadLimitIntervalSec'] => Variant[Enum['infinity'], Systemd::Timespan, Systemd::SettingEnsure],
+    Optional['ReloadLimitBurst'] => Variant[Integer[0], Systemd::SettingEnsure],
+    Optional['DefaultMemoryPressureWatch'] => Variant[Systemd::SettingEnsure],
+    Optional['DefaultMemoryPressureThresholdSec'] => Variant[Systemd::SettingEnsure],
+  }
+  # lint:endignore
+]

types/servicemanagersettings.pp

@@ -0,0 +1,2 @@
+# @summary Defines allowed ensure states for an ini_setting
+type Systemd::SettingEnsure = Struct[{ 'ensure' => Enum['present','absent'] }]

types/settingensure.pp

@@ -0,0 +1,6 @@
+# @summary Defines a timespan type
+# @see https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html
+type Systemd::Timespan = Variant[
+  Integer[0],
+  Pattern[/^([0-9]+ *(usec|us|msec|ms|second[s]?|sec|s|minute[s]?|min|m|hour[s]?|hr|h|day[s]?|d|week[s]?|w|month[s]?|M|year[s]?|y)? *)+$/]
+]