Import

2026-03-02 15:19:32 +01:00
commit 061fdc205a
12 changed files with 1909 additions and 0 deletions
--- a/ward.service
+++ b/ward.service
@@ -0,0 +1,34 @@
+[Unit]
+Description=ward — Kubernetes credential gateway (LDAP/Kerberos/htpasswd)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+
+# Adjust or override in /etc/systemd/system/ward.service.d/local.conf
+ExecStart=/usr/local/bin/ward \
+    --k3s-server=https://YOUR_K3S_HOSTNAME:6443 \
+    --addr=:8443
+
+# SIGHUP reloads the htpasswd file without restarting.
+ExecReload=/bin/kill -HUP $MAINPID
+
+Restart=on-failure
+RestartSec=5s
+
+# Must run as root to read:
+#   /var/lib/rancher/k3s/server/tls/client-ca.key
+#   /etc/letsencrypt/live/*/privkey.pem
+#   /etc/krb5.keytab  (if using Kerberos)
+# Tighten by granting group read access to those files instead.
+User=root
+
+NoNewPrivileges=yes
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+
+[Install]
+WantedBy=multi-user.target