35 lines
839 B
Desktop File
35 lines
839 B
Desktop File
[Unit]
|
|
Description=ward — Kubernetes credential gateway (LDAP/Kerberos/htpasswd)
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
|
|
# Adjust or override in /etc/systemd/system/ward.service.d/local.conf
|
|
ExecStart=/usr/local/bin/ward \
|
|
--k3s-server=https://YOUR_K3S_HOSTNAME:6443 \
|
|
--addr=:8443
|
|
|
|
# SIGHUP reloads the htpasswd file without restarting.
|
|
ExecReload=/bin/kill -HUP $MAINPID
|
|
|
|
Restart=on-failure
|
|
RestartSec=5s
|
|
|
|
# Must run as root to read:
|
|
# /var/lib/rancher/k3s/server/tls/client-ca.key
|
|
# /etc/letsencrypt/live/*/privkey.pem
|
|
# /etc/krb5.keytab (if using Kerberos)
|
|
# Tighten by granting group read access to those files instead.
|
|
User=root
|
|
|
|
NoNewPrivileges=yes
|
|
ProtectHome=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectControlGroups=yes
|
|
RestrictSUIDSGID=yes
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|