feat: force attr for log/ini files

- based for systemd service with inotify;
- group and permissions can be set in kf2-srv.conf;
- bot password in separate conf with no permissions for others.

SOURCES/bot.conf

@@ -0,0 +1,4 @@
+# Bot default password
+# To change the password for the bot, you must do this here and in WebAdmin.
+# Otherwise, the bot will stop working and some actions cannot be done on running servers
+ServerBotPassword=VerySecretBotPassword

SOURCES/kf2-srv

@@ -26,10 +26,11 @@ declare -A MutNames
 
 source /etc/steamcmd/steamcmd.conf
 source /etc/kf2-srv/kf2-srv.conf
+source /etc/kf2-srv/bot.conf
 
 ScriptFullname=$(readlink -e "$0")
 ScriptName=$(echo "$ScriptFullname" | awk -F '/' '{print $NF;}')
-readonly ScriptVersion="0.11.1"
+readonly ScriptVersion="0.12.0"
 
 # Constants. Don't change.
 readonly AppServerNum="232130"

SOURCES/kf2-srv-beta@.service

@@ -1,5 +1,6 @@
 [Unit]
 Description=Killing Floor 2 Beta Server Daemon - %i
+After=kf2-srv-force-attr.service
 After=network-online.target
 Wants=network-online.target
 

SOURCES/kf2-srv-force-attr.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=kf2-srv force attr service
+
+[Service]
+Type=simple
+StandardOutput=null
+StandardError=null
+EnvironmentFile=/etc/kf2-srv/kf2-srv.conf
+ExecStart=/bin/bash -c 'declare -a DiffNames WaveNames; declare -A ModeNames MutNames; source /etc/kf2-srv/kf2-srv.conf; /usr/bin/inotifywait -qmr -e create -e moved_to --format %w%f /var/log/kf2-srv /var/log/kf2-srv-beta /etc/kf2-srv/instances /etc/kf2-srv/instances-beta | while read File; do if echo "${File}" | grep -Piq "\.log$"; then chmod "${ForceLogPermissions}" "${File}"; chown :"${ForceLogGroup}" "${File}"; elif echo "${File}" | grep -Piq "\.ini$"; then chmod "${ForceIniPermissions}" "${File}"; chown :"${ForceIniGroup}" "${File}"; fi; done'
+Restart=always
+
+NoNewPrivileges=yes
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=true
+
+[Install]
+WantedBy=multi-user.target

SOURCES/kf2-srv.conf

@@ -3,7 +3,7 @@
 DiffNames=('Normal' 'Hard' 'Suicide' 'Hell')
 
 # Displays the number of waves
-# You can rename them as you like
+# You can rename them as you like (e.g. 'short' 'medium' 'long')
 WaveNames=('4' '7' '10')
 
 # Add custom gamemodes to the end of the list, similar to what is already there:
@@ -16,7 +16,9 @@ ModeNames['KFGameContent.KFGameInfo_VersusSurvival']='Versus'
 # Add mutators to the end of the list, similar to what is already there:
 MutNames['ServerExtMut.ServerExtMut']='RPG'
 
-# Bot default password
+# These parameters works only if "kf2-srv-force-attr.service" is active
-# To change the password for the bot, you must do this here and in WebAdmin.
+ForceIniPermissions=644
-# Otherwise, the bot will stop working and some actions cannot be done on running servers
+ForceLogPermissions=640
-ServerBotPassword=VerySecretBotPassword
+ForceIniGroup=steam
+ForceLogGroup=steam
+

SOURCES/kf2-srv@.service

@@ -1,5 +1,6 @@
 [Unit]
 Description=Killing Floor 2 Server Daemon - %i
+After=kf2-srv-force-attr.service
 After=network-online.target
 Wants=network-online.target
 

SPECS/kf2-srv.spec

@@ -22,6 +22,8 @@ Source11:   %{name}.conf
 Source12:   COPYING
 Source13:   rsyslog-%{name}.conf
 Source14:   logrotate-%{name}
+Source15:   bot.conf
+Source16:   %{name}-force-attr.service
 
 Requires:   systemd >= 219
 Requires:   steamcmd
@@ -38,6 +40,7 @@ Requires:   gawk
 Requires:   multini >= 0.2.3
 Requires:   rsyslog >= 8.25.0
 Requires:   logrotate
+Requires:   inotify-tools
 
 Provides:   %{name}
 
@@ -80,6 +83,8 @@ install -m 644 %{SOURCE11} %{buildroot}/%{_sysconfdir}/%{name}
 install -m 644 %{SOURCE12} %{buildroot}/%{_datadir}/licenses/%{name}
 install -m 644 %{SOURCE13} %{buildroot}/%{_sysconfdir}/rsyslog.d/%{name}.conf
 install -m 644 %{SOURCE14} %{buildroot}/%{_sysconfdir}/logrotate.d/%{name}
+install -m 644 %{SOURCE15} %{buildroot}/%{_sysconfdir}/%{name}
+install -m 644 %{SOURCE16} %{buildroot}/%{_prefix}/lib/systemd/system
 
 %clean
 rm -rf $RPM_BUILD_ROOT
@@ -95,6 +100,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0770,root,%{steamuser}) %dir               %{_localstatedir}/log/%{name}-beta
 %attr(0664,root,%{steamuser}) %config(noreplace) %{_sysconfdir}/%{name}/main.conf.template
 %attr(0664,root,%{steamuser}) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
+%attr(0640,root,%{steamuser}) %config(noreplace) %{_sysconfdir}/%{name}/bot.conf
 %attr(0644,root,root)         %config(noreplace) %{_prefix}/lib/firewalld/services/%{name}.xml
 %attr(0755,root,root)                            %{_bindir}/%{name}
 %attr(0755,root,root)                            %{_bindir}/%{name}-beta
@@ -123,7 +129,8 @@ systemctl try-restart rsyslog.service
 * Sun Jul 12 2020 GenZmeY <genzmey@gmail.com> - 0.12.0-1
 - chat logs without timestamp;
 - update rsyslog config - now logs will be create with steam group and 640 permissions;
-- update logrotate config (fixed that logrotate does nothing).
+- update logrotate config (fixed that logrotate does nothing);
+- feat: force attr for log/ini files.
 
 * Thu Jul 9 2020 GenZmeY <genzmey@gmail.com> - 0.11.1-1
 - fix syntax error in firewalld service.

TODO

@@ -11,8 +11,6 @@
 - generate unique password for server bot on install
 - parallel actions
 - bash completion
-- fix permissions for log/ini by inotify. Example:
-	inotifywait -qm -e 'create' -e 'moved_to' --format %w%f /home/genzmey/test/ /home/genzmey/test2/
 
 ###################