Use override for tor.service

3 files changed, 12 insertions, 31 deletions

diff --git a/roles/tor/files/override.conf b/roles/tor/files/override.conf
new file mode 100644
index 0000000..00be00f
--- /dev/null
+++ b/roles/tor/files/override.conf
@@ -0,0 +1,2 @@
+[Unit]
+After=wg-quick@wgtor0.service
diff --git a/roles/tor/files/tor.service b/roles/tor/files/tor.service
deleted file mode 100644
index d41767b..0000000
--- a/roles/tor/files/tor.service
+++ /dev/null
@@ -1,29 +0,0 @@
-[Unit]
-Description=Anonymizing overlay network for TCP
-After=network.target nss-lookup.target wg-quick@wgtor0.service
-
-[Service]
-Type=notify
-NotifyAccess=all
-ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
-ExecStart=/usr/bin/tor -f /etc/tor/torrc
-ExecReload=/bin/kill -HUP ${MAINPID}
-KillSignal=SIGINT
-TimeoutSec=60
-Restart=on-failure
-WatchdogSec=1m
-LimitNOFILE=32768
-
-# Hardening
-PrivateTmp=yes
-PrivateDevices=yes
-ProtectHome=yes
-ProtectSystem=full
-ReadOnlyDirectories=/
-ReadWriteDirectories=-/var/lib/tor
-ReadWriteDirectories=-/var/log/tor
-NoNewPrivileges=yes
-CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH CAP_KILL
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/tor/tasks/main.yml b/roles/tor/tasks/main.yml
index 78b9856..6bb7a61 100644
--- a/roles/tor/tasks/main.yml
+++ b/roles/tor/tasks/main.yml
@@ -34,10 +34,18 @@
   notify:
     - Reload tor
 
+- name: Setup directory for tor systemd override
+  ansible.builtin.file:
+    path: /etc/systemd/system/tor.service.d
+    state: directory
+    owner: root
+    group: root
+    mode: u+rw,g+r,o+r
+
 - name: Configure tor systemd service
   ansible.builtin.copy:
-    src: files/tor.service
-    dest: /usr/lib/systemd/system/tor.service
+    src: files/override.conf
+    dest: /etc/systemd/system/tor.service.d
     owner: root
     group: root
     mode: u+rw,g+r,o+r