config_o_mat 0.1.0

data/systemd/teak-configurator-stop-service@.path

@@ -0,0 +1,27 @@
+# Copyright 2021 Teak.io, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# By enabling this unit for a service, we ensure that after the service starts systemd
+# listens for touches on the configurator's stop file, and will run teak-configurator-stop-service@%i.service
+# when the file is touched.
+#
+# This allows the configurator to stop systemd services without privileged access.
+[Unit]
+Description=Touch a file to stop %i.service
+
+[Path]
+PathModified=/run/teak-configurator/%i.stop
+
+[Install]
+WantedBy=%i.service

data/systemd/teak-configurator-stop-service@.service

@@ -0,0 +1,21 @@
+# Copyright 2021 Teak.io, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[Unit]
+Description=Stop %i.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl stop %i.service
+RemainAfterExit=no

data/systemd/teak-configurator.service

@@ -0,0 +1,68 @@
+# Copyright 2021 Teak.io, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[Unit]
+Description=Teak Configurator
+Requires=teak-metaconfigurator.service network.target
+After=teak-metaconfigurator.service network.target
+
+[Service]
+Slice=teak-services.slice
+ReadOnlyPaths=/
+ProtectSystem=strict
+RuntimeDirectory=teak-configurator
+# We use files in our runtime directory to both indicate to systemd that services should
+# be restarted and to provide "credential" data to systemd services. If systemd nukes that
+# directory it will see changes to the files we touch to restart services, and so restart the
+# services. When the services restart, they will try to load their "credential" data, which will
+# also be absent. This takes down all the services.
+#
+# I would prefer that things continue operating even if the configurator dies -- we can find other
+# mechanisms to mark a server as unhealthy if it can no longer get new config data.
+RuntimeDirectoryPreserve=yes
+RuntimeDirectoryMode=0700
+LogsDirectory=teak-configurator
+ConfigurationDirectory=teak-configurator
+WorkingDirectory=/opt/teak-configurator
+
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+RestrictRealtime=yes
+LockPersonality=yes
+RemoveIPC=yes
+UMask=0033
+
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @resources @swap
+
+CapabilityBoundingSet=
+RestrictAddressFamilies=~AF_NETLINK AF_PACKET
+RestrictNamespaces=yes
+
+WatchdogSec=60
+
+NotifyAccess=main
+Type=notify
+ExecStart=bundle2.7 exec /opt/teak-configurator/bin/config_o_mat-configurator
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

data/systemd/teak-metaconfigurator.service

@@ -0,0 +1,57 @@
+# Copyright 2021 Teak.io, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[Unit]
+Description=Teak Meta Configurator (Configures systemd for the configurator)
+
+[Service]
+ReadOnlyPaths=/
+
+# We persist systemd dropins and other config, so make sure that's writeable
+ReadWritePaths=/run/systemd/system
+ProtectSystem=full
+RuntimeDirectory=teak-configurator
+LogsDirectory=teak-configurator
+ConfigurationDirectory=teak-configurator
+WorkingDirectory=/opt/teak-configurator
+
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+RestrictRealtime=yes
+LockPersonality=yes
+RemoveIPC=yes
+UMask=0033
+
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @resources @swap
+
+CapabilityBoundingSet=
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+
+User=root
+Type=oneshot
+ExecStart=bundle2.7 exec /opt/teak-configurator/bin/config_o_mat-meta_configurator
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

metadata

@@ -0,0 +1,213 @@
+--- !ruby/object:Gem::Specification
+name: config_o_mat
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Alex Scarborough
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2022-01-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-appconfig
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.18'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.18'
+- !ruby/object:Gem::Dependency
+  name: logsformyfamily
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: lifecycle_vm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+- !ruby/object:Gem::Dependency
+  name: ruby-dbus
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.16.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.16.0
+- !ruby/object:Gem::Dependency
+  name: sd_notify
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.21.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.21.2
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+description:
+email:
+- alex@teak.io
+executables:
+- config_o_mat-configurator
+- config_o_mat-meta_configurator
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".ruby-gemset"
+- ".ruby-version"
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- NOTICE
+- README.md
+- Rakefile
+- bin/config_o_mat-configurator
+- bin/config_o_mat-meta_configurator
+- config_o_mat.gemspec
+- design/configurator_lifecycle_test.dot
+- design/original_design.md
+- lib/config_o_mat/configurator.rb
+- lib/config_o_mat/configurator/cond.rb
+- lib/config_o_mat/configurator/cond/first_run.rb
+- lib/config_o_mat/configurator/cond/next_state.rb
+- lib/config_o_mat/configurator/cond/profiles_to_apply.rb
+- lib/config_o_mat/configurator/cond/retries_left.rb
+- lib/config_o_mat/configurator/cond/services_to_reload.rb
+- lib/config_o_mat/configurator/memory.rb
+- lib/config_o_mat/configurator/op.rb
+- lib/config_o_mat/configurator/op/apply_all_profiles.rb
+- lib/config_o_mat/configurator/op/commit_staged_profile.rb
+- lib/config_o_mat/configurator/op/compile_templates.rb
+- lib/config_o_mat/configurator/op/connect_to_appconfig.rb
+- lib/config_o_mat/configurator/op/generate_all_templates.rb
+- lib/config_o_mat/configurator/op/next_tick.rb
+- lib/config_o_mat/configurator/op/notify_systemd_start.rb
+- lib/config_o_mat/configurator/op/parse_cli.rb
+- lib/config_o_mat/configurator/op/refresh_all_profiles.rb
+- lib/config_o_mat/configurator/op/refresh_profile.rb
+- lib/config_o_mat/configurator/op/reload_one_service.rb
+- lib/config_o_mat/configurator/op/stage_one_profile.rb
+- lib/config_o_mat/configurator/op/wait_retry.rb
+- lib/config_o_mat/flip_flopper.rb
+- lib/config_o_mat/flip_flopper/cond.rb
+- lib/config_o_mat/flip_flopper/cond/service_status.rb
+- lib/config_o_mat/flip_flopper/memory.rb
+- lib/config_o_mat/flip_flopper/op.rb
+- lib/config_o_mat/flip_flopper/op/check_service_status.rb
+- lib/config_o_mat/flip_flopper/op/determine_running_instance.rb
+- lib/config_o_mat/flip_flopper/op/report_failure.rb
+- lib/config_o_mat/flip_flopper/op/start_activating_instance.rb
+- lib/config_o_mat/flip_flopper/op/stop_activating_instance.rb
+- lib/config_o_mat/flip_flopper/op/stop_initial_instance.rb
+- lib/config_o_mat/meta_configurator.rb
+- lib/config_o_mat/meta_configurator/memory.rb
+- lib/config_o_mat/meta_configurator/op.rb
+- lib/config_o_mat/meta_configurator/op/generate_systemd_config.rb
+- lib/config_o_mat/meta_configurator/op/parse_meta_cli.rb
+- lib/config_o_mat/shared/cond.rb
+- lib/config_o_mat/shared/cond/early_exit.rb
+- lib/config_o_mat/shared/op.rb
+- lib/config_o_mat/shared/op/load_meta_config.rb
+- lib/config_o_mat/shared/systemd_interface.rb
+- lib/config_o_mat/shared/types.rb
+- lib/config_o_mat/version.rb
+- lib/version.rb
+- systemd/teak-configurator-restart-service@.path
+- systemd/teak-configurator-restart-service@.service
+- systemd/teak-configurator-start-service@.path
+- systemd/teak-configurator-start-service@.service
+- systemd/teak-configurator-stop-service@.path
+- systemd/teak-configurator-stop-service@.service
+- systemd/teak-configurator.service
+- systemd/teak-metaconfigurator.service
+homepage: https://github.com/GoCarrot/configurator
+licenses: []
+metadata:
+  homepage_uri: https://github.com/GoCarrot/configurator
+  source_code_uri: https://github.com/GoCarrot/configurator
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key:
+specification_version: 4
+summary: ConfigOMat applies AWS AppConfig to Systemd services.
+test_files: []