CHANGELOG.md

@@ -4,6 +4,24 @@ All notable changes to this project will be documented in this file.
 Each new release typically also includes the latest modulesync defaults.
 These should not affect the functionality of the module.
 
+## [v6.1.0](https://github.com/voxpupuli/puppet-systemd/tree/v6.1.0) (2023-10-30)
+
+[Full Changelog](https://github.com/voxpupuli/puppet-systemd/compare/v6.0.0...v6.1.0)
+
+**Implemented enhancements:**
+
+- Add Debian 12 support [\#386](https://github.com/voxpupuli/puppet-systemd/pull/386) ([bastelfreak](https://github.com/bastelfreak))
+- Add OracleLinux 9 support [\#385](https://github.com/voxpupuli/puppet-systemd/pull/385) ([bastelfreak](https://github.com/bastelfreak))
+- Install systemd-networkd package, if any [\#380](https://github.com/voxpupuli/puppet-systemd/pull/380) ([ekohl](https://github.com/ekohl))
+- Add more security related parameters to service [\#379](https://github.com/voxpupuli/puppet-systemd/pull/379) ([lkck24](https://github.com/lkck24))
+- only accept socket\_entry for socket units [\#376](https://github.com/voxpupuli/puppet-systemd/pull/376) ([evgeni](https://github.com/evgeni))
+- Implement DNSStubListenerExtra for resolved.conf [\#371](https://github.com/voxpupuli/puppet-systemd/pull/371) ([ekohl](https://github.com/ekohl))
+- Support Debian 12 [\#357](https://github.com/voxpupuli/puppet-systemd/pull/357) ([traylenator](https://github.com/traylenator))
+
+**Merged pull requests:**
+
+- Drop OracleLinux 7 from metadata.json [\#384](https://github.com/voxpupuli/puppet-systemd/pull/384) ([bastelfreak](https://github.com/bastelfreak))
+
 ## [v6.0.0](https://github.com/voxpupuli/puppet-systemd/tree/v6.0.0) (2023-09-04)
 
 [Full Changelog](https://github.com/voxpupuli/puppet-systemd/compare/v5.2.0...v6.0.0)

README.md

@@ -351,7 +351,7 @@ class { 'systemd':
 }
 ```
 
-when `manage_systemd` is true any required sub package, e.g. `systemd-resolved` on CentOS 9, will be installed. However configuration of
+when `manage_systemd` is true any required sub package, e.g. `systemd-resolved` on CentOS 9 or Debian 12, will be installed. However configuration of
 systemd-resolved will only occur on second puppet run after that installation.
 
 This requires [puppetlabs-inifile](https://forge.puppet.com/puppetlabs/inifile), which is only a soft dependency in this module (you need to explicitly install it). Both parameters accept a string or an array.

REFERENCE.md

@@ -97,10 +97,12 @@ The following parameters are available in the `systemd` class:
 * [`dnsovertls`](#-systemd--dnsovertls)
 * [`cache`](#-systemd--cache)
 * [`dns_stub_listener`](#-systemd--dns_stub_listener)
+* [`dns_stub_listener_extra`](#-systemd--dns_stub_listener_extra)
 * [`manage_resolv_conf`](#-systemd--manage_resolv_conf)
 * [`use_stub_resolver`](#-systemd--use_stub_resolver)
 * [`manage_networkd`](#-systemd--manage_networkd)
 * [`networkd_ensure`](#-systemd--networkd_ensure)
+* [`networkd_package`](#-systemd--networkd_package)
 * [`manage_timesyncd`](#-systemd--manage_timesyncd)
 * [`timesyncd_ensure`](#-systemd--timesyncd_ensure)
 * [`timesyncd_package`](#-systemd--timesyncd_package)
@@ -287,6 +289,14 @@ Takes a boolean argument or one of "udp" and "tcp".
 
 Default value: `undef`
 
+##### <a name="-systemd--dns_stub_listener_extra"></a>`dns_stub_listener_extra`
+
+Data type: `Optional[Array[String[1]]]`
+
+Additional addresses for the DNS stub listener to listen on
+
+Default value: `undef`
+
 ##### <a name="-systemd--manage_resolv_conf"></a>`manage_resolv_conf`
 
 Data type: `Boolean`
@@ -321,6 +331,14 @@ The state that the ``networkd`` service should be in
 
 Default value: `'running'`
 
+##### <a name="-systemd--networkd_package"></a>`networkd_package`
+
+Data type: `Optional[String[1]]`
+
+Name of the package required for systemd-networkd, if any
+
+Default value: `undef`
+
 ##### <a name="-systemd--manage_timesyncd"></a>`manage_timesyncd`
 
 Data type: `Boolean`
@@ -2425,6 +2443,33 @@ Struct[{
     Optional['StandardInput']             => Variant[Enum['null','tty','tty-force','tty-fail','data','socket'], Pattern[/\A(file:|fd:).+$\z/]],
     Optional['PrivateTmp']                => Boolean,
     Optional['RuntimeDirectory']          => String,
+    Optional['RuntimeDirectoryMode']      => Stdlib::Filemode,
+    Optional['LogsDirectory']             => String,
+    Optional['LogsDirectoryMode']         => Stdlib::Filemode,
+    Optional['ProtectSystem']             => Variant[Boolean, Enum['full', 'strict']],
+    Optional['ProtectHome']               => Variant[Boolean, Enum['read-only', 'tmpfs']],
+    Optional['BindPaths']                 => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]],
+    Optional['BindReadOnlyPaths']         => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]],
+    Optional['PrivateDevices']            => Boolean,
+    Optional['RemoveIPC']                 => Boolean,
+    Optional['ProtectKernelModules']      => Boolean,
+    Optional['ProtectKernelTunables']     => Boolean,
+    Optional['ProtectControlGroups']      => Boolean,
+    Optional['RestrictRealtime']          => Boolean,
+    Optional['RestrictAddressFamilies']   => Variant[Enum['AF_UNIX', 'AF_INET', 'AF_INET6', 'AF_NETLINK', 'none'], Array[Enum['AF_UNIX', 'AF_INET', 'AF_INET6', 'AF_NETLINK', 'none']]],
+    Optional['RestrictNamespaces']        => Variant[Boolean, Enum['ipc', 'net', 'mnt', 'pid', 'user', 'uts', 'cgroup'], Array[Enum['ipc', 'net', 'mnt', 'pid', 'user', 'uts', 'cgroup']]],
+    Optional['SystemCallArchitectures']   => Variant[String, Array[String]],
+    Optional['SystemCallFilter']          => Variant[String, Array[String]],
+    Optional['SystemCallErrorNumber']     => String,
+    Optional['ProtectClock']              => Boolean,
+    Optional['PrivateUsers']              => Boolean,
+    Optional['ProtectKernelLogs']         => Boolean,
+    Optional['ProtectProc']               => Enum['noaccess', 'invisible', 'ptraceable', 'default'],
+    Optional['ProtectHostname']           => Boolean,
+    Optional['RestrictSUIDSGID']          => Boolean,
+    Optional['CapabilityBoundingSet']     => Variant[String, Array[String]],
+    Optional['NoNewPrivileges']           => Boolean,
+    Optional['LockPersonality']           => Boolean,
   }]
 ```
 

data/Debian-12.yaml

@@ -0,0 +1,11 @@
+---
+systemd::accounting:
+  DefaultCPUAccounting: 'yes'
+  DefaultIOAccounting: 'yes'
+  DefaultIPAccounting: 'yes'
+  DefaultBlockIOAccounting: 'yes'
+  DefaultMemoryAccounting: 'yes'
+  DefaultTasksAccounting: 'yes'
+
+systemd::timesyncd_package: 'systemd-timesyncd'
+systemd::resolved_package: 'systemd-resolved'

data/RedHat-family.yaml

@@ -0,0 +1,2 @@
+---
+systemd::networkd_package: systemd-networkd

hiera.yaml

@@ -9,6 +9,8 @@ hierarchy:
   - name: 'Distribution Name'
     path: '%{facts.os.name}.yaml'
   - name: 'OS Family Major Version'
-    path: '%{facts.os.family}-%{facts.os.release.major}.yaml'
+    path: '%{facts.os.family}-family-%{facts.os.release.major}.yaml'
+  - name: 'OS Family'
+    path: '%{facts.os.family}-family.yaml'
   - name: 'common'
     path: 'common.yaml'

manifests/init.pp

@@ -66,6 +66,9 @@
 # @param dns_stub_listener
 #   Takes a boolean argument or one of "udp" and "tcp".
 #
+# @param dns_stub_listener_extra
+#   Additional addresses for the DNS stub listener to listen on
+#
 # @param manage_resolv_conf
 #   For when `manage_resolved` is `true` should the file `/etc/resolv.conf` be managed.
 #
@@ -80,6 +83,9 @@
 # @param networkd_ensure
 #   The state that the ``networkd`` service should be in
 #
+# @param networkd_package
+#   Name of the package required for systemd-networkd, if any
+#
 # @param manage_timesyncd
 #   Manage the systemd timesyncd daemon
 #
@@ -197,10 +203,12 @@
   Variant[Boolean,Enum['yes', 'opportunistic', 'no']] $dnsovertls = false,
   Variant[Boolean,Enum['no-negative']]                $cache = false,
   Optional[Variant[Boolean,Enum['udp','tcp']]]        $dns_stub_listener = undef,
+  Optional[Array[String[1]]] $dns_stub_listener_extra = undef,
   Boolean                                             $manage_resolv_conf = true,
   Boolean                                             $use_stub_resolver = false,
   Boolean                                             $manage_networkd = false,
   Enum['stopped','running']                           $networkd_ensure = 'running',
+  Optional[String[1]]                                 $networkd_package = undef,
   Boolean                                             $manage_timesyncd = false,
   Enum['stopped','running']                           $timesyncd_ensure = 'running',
   Optional[String[1]]                                 $timesyncd_package = undef,
@@ -281,6 +289,7 @@
 
   if $manage_networkd and $facts['systemd_internal_services'] and $facts['systemd_internal_services']['systemd-networkd.service'] {
     contain systemd::networkd
+    Class['systemd::install'] -> Class['systemd::networkd']
   }
 
   if $manage_timesyncd and $facts['systemd_internal_services'] and $facts['systemd_internal_services']['systemd-timesyncd.service'] {

manifests/install.pp

@@ -2,6 +2,12 @@
 # @api private
 #
 class systemd::install {
+  if $systemd::manage_networkd and $systemd::networkd_package {
+    package { $systemd::networkd_package:
+      ensure => present,
+    }
+  }
+
   if $systemd::manage_resolved and $systemd::resolved_package {
     package { $systemd::resolved_package:
       ensure => present,

manifests/manage_dropin.pp

@@ -86,6 +86,10 @@
     fail("Systemd::Manage_dropin[${name}]: for unit ${unit} path_entry is only valid for path units")
   }
 
+  if $socket_entry and $unit !~ Pattern['^[^/]+\.socket'] {
+    fail("Systemd::Manage_dropin[${name}]: for unit ${unit} socket_entry is only valid for socket units")
+  }
+
   systemd::dropin_file { $name:
     ensure                  => $ensure,
     filename                => $filename,

manifests/manage_unit.pp

@@ -124,6 +124,10 @@
     fail("Systemd::Manage_unit[${name}]: path_entry is only valid for path units")
   }
 
+  if $socket_entry and $name !~ Pattern['^[^/]+\.socket'] {
+    fail("Systemd::Manage_unit[${name}]: socket_entry is only valid for socket units")
+  }
+
   if $ensure != 'absent' and  $name =~ Pattern['^[^/]+\.service'] and !$service_entry {
     fail("Systemd::Manage_unit[${name}]: service_entry is required for service units")
   }

manifests/resolved.pp

@@ -41,6 +41,9 @@
 # @param dns_stub_listener
 #   Takes a boolean argument or one of "udp" and "tcp".
 #
+# @param dns_stub_listener_extra
+#   Additional addresses for the DNS stub listener to listen on
+#
 # @param use_stub_resolver
 #   Takes a boolean argument. When "false" (default) it uses /run/systemd/resolve/resolv.conf
 #   as /etc/resolv.conf. When "true", it uses /run/systemd/resolve/stub-resolv.conf
@@ -56,6 +59,7 @@
   Optional[Variant[Boolean,Enum['yes', 'opportunistic', 'no']]] $dnsovertls = $systemd::dnsovertls,
   Optional[Variant[Boolean,Enum['no-negative']]] $cache              = $systemd::cache,
   Optional[Variant[Boolean,Enum['udp', 'tcp']]] $dns_stub_listener   = $systemd::dns_stub_listener,
+  Optional[Array[String[1]]] $dns_stub_listener_extra                = $systemd::dns_stub_listener_extra,
   Boolean $use_stub_resolver                                         = $systemd::use_stub_resolver,
 ) {
   assert_private()
@@ -245,4 +249,15 @@
       notify  => Service['systemd-resolved'],
     }
   }
+
+  if $dns_stub_listener_extra {
+    ini_setting { 'dns_stub_listener_extra':
+      ensure  => 'present',
+      value   => $dns_stub_listener_extra,
+      setting => 'DNSStubListenerExtra',
+      section => 'Resolve',
+      path    => '/etc/systemd/resolved.conf',
+      notify  => Service['systemd-resolved'],
+    }
+  }
 }

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "puppet-systemd",
-  "version": "6.0.0",
+  "version": "6.1.0",
   "author": "Vox Pupuli",
   "summary": "Puppet Systemd module",
   "license": "Apache-2.0",
@@ -22,7 +22,8 @@
       "operatingsystem": "Debian",
       "operatingsystemrelease": [
         "10",
-        "11"
+        "11",
+        "12"
       ]
     },
     {
@@ -78,8 +79,8 @@
     {
       "operatingsystem": "OracleLinux",
       "operatingsystemrelease": [
-        "7",
-        "8"
+        "8",
+        "9"
       ]
     },
     {

spec/acceptance/networkd_spec.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'spec_helper_acceptance'
+
+describe 'systemd with manage_networkd true' do
+  has_package = fact('os.family') == 'RedHat'
+
+  # On Enterprise Linux 8 & 9 the package is shipped in EPEL
+  before { install_package(default, 'epel-release') if has_package && %w[8 9].include?(fact('os.release.major')) }
+
+  context 'configure systemd-networkd' do
+    let(:manifest) do
+      <<~PUPPET
+        class { 'systemd':
+          manage_networkd => true,
+        }
+      PUPPET
+    end
+
+    it 'works idempotently with no errors' do
+      apply_manifest(manifest, catch_failures: true)
+      # Package systemd-networkd needs to be installed before fact $facts['internal_services'] is set
+      apply_manifest(manifest, catch_failures: true) if has_package
+      apply_manifest(manifest, catch_changes: true)
+    end
+
+    describe service('systemd-networkd') do
+      it { is_expected.to be_running }
+      it { is_expected.to be_enabled }
+    end
+
+    it { expect(package('systemd-networkd')).to be_installed } if has_package
+  end
+
+  context 'configure systemd stopped' do
+    let(:manifest) do
+      <<~PUPPET
+        class { 'systemd':
+          manage_networkd => true,
+          networkd_ensure => 'stopped',
+        }
+      PUPPET
+    end
+
+    it 'works idempotently with no errors' do
+      apply_manifest(manifest, catch_failures: true)
+      apply_manifest(manifest, catch_changes: true)
+    end
+
+    describe service('systemd-networkd') do
+      it { is_expected.not_to be_running }
+      it { is_expected.not_to be_enabled }
+    end
+  end
+end

spec/acceptance/resolved_spec.rb

@@ -3,6 +3,8 @@
 require 'spec_helper_acceptance'
 
 describe 'systemd with manage_resolved true' do
+  has_package = (fact('os.family') == 'RedHat' && fact('os.release.major') != '8') || (fact('os.name') == 'Debian' && fact('os.release.major').to_i >= 12)
+
   context 'configure systemd resolved' do
     it 'works idempotently with no errors' do
       pp = <<-PUPPET
@@ -12,15 +14,17 @@
       }
       PUPPET
       apply_manifest(pp, catch_failures: true)
-      # RedHat 7, 9 and newer installs package first run before fact $facts['internal_services'] is set
-      apply_manifest(pp, catch_failures: true) if fact('os.release.major') != '8' && (fact('os.family') == 'RedHat')
+      # RedHat 7, 9, Debian 12 and newer installs package first run before fact $facts['internal_services'] is set
+      apply_manifest(pp, catch_failures: true) if has_package
       apply_manifest(pp, catch_changes: true)
     end
 
     describe service('systemd-resolved') do
       it { is_expected.to be_running }
       it { is_expected.to be_enabled }
     end
+
+    it { expect(package('systemd-resolved')).to be_installed } if has_package
   end
 
   context 'configure systemd stopped' do

spec/classes/init_spec.rb

@@ -17,6 +17,7 @@
         it { is_expected.not_to create_service('systemd-resolved') }
         it { is_expected.not_to create_service('systemd-networkd') }
         it { is_expected.not_to create_service('systemd-timesyncd') }
+        it { is_expected.not_to contain_package('systemd-networkd') }
         it { is_expected.not_to contain_package('systemd-timesyncd') }
         it { is_expected.not_to contain_package('systemd-resolved') }
         it { is_expected.not_to contain_class('systemd::coredump') }
@@ -39,8 +40,14 @@
           it { is_expected.to create_service('systemd-networkd').with_enable(true) }
           it { is_expected.not_to contain_file('/etc/systemd/network') }
 
+          if facts[:os]['family'] == 'RedHat'
+            it { is_expected.to contain_package('systemd-networkd') }
+          else
+            it { is_expected.not_to contain_package('systemd-networkd') }
+          end
+
           case [facts[:os]['family'], facts[:os]['release']['major']]
-          when %w[RedHat 7], %w[RedHat 9]
+          when %w[RedHat 7], %w[RedHat 9], %w[Debian 12]
             it { is_expected.to contain_package('systemd-resolved') }
           else
             it { is_expected.not_to contain_package('systemd-resolved') }
@@ -143,6 +150,7 @@
               dnsovertls: 'no',
               cache: true,
               dns_stub_listener: 'udp',
+              dns_stub_listener_extra: ['192.0.2.1', '2001:db8::1'],
             }
           end
 
@@ -164,6 +172,7 @@
           }
 
           it { is_expected.to contain_ini_setting('dns_stub_listener') }
+          it { is_expected.to contain_ini_setting('dns_stub_listener_extra').with_value(['192.0.2.1', '2001:db8::1']) }
         end
 
         context 'when enabling resolved with no-negative cache variant' do