Feature request: Ability to define additional capabilites in systemd file

[joe-bowman]

Using the pam-auth plugin that ships with OpenVPN, requires editing of the systemd file to add CAP_AUDIT_WRITE to be able to authenticate against PAM.

At present the formula does not manage the systemd file, and instead uses the one that ships with the package. Can we add the ability to amend the systemd file with the additional capabilty if required?

Thanks.

[aboe76]

if you wan't you can create a PR, with an pillar variable and an if statement to create a systemd override file..something like:

{%- if openvpn.cap_audit_write  %}
reload_systemd_configuration:
  cmd.wait:
    - name: systemctl daemon-reload
    - runas: root

openvpn_override:
  file.managed:
    - name: /etc/systemd/system/openvpn.service.d/10-pam-capability-fix.conf
    - contents: |
          [Service]
          CapabilityBoundingSet=
          CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
    - makedirs: True
    - watch_in:
      - cmd: reload_systemd_configuration
{% endif %}