feat: added (maintenance) timers for nfs timeout notifications

tasks/rosetta/configure_nfs_monitoring.yml

@@ -20,7 +20,7 @@
       loop:
         - "nfs_timeout_notification.service.sh"
 
-    - name: install NFS monitoring services (2/3) - copy service unit
+    - name: install NFS monitoring services (2/3) - copy service units & timers
       ansible.builtin.template:
         src: "usr/local/lib/systemd/system/{{ item }}.j2"
         dest: "/usr/local/lib/systemd/system/{{ item }}"
@@ -29,13 +29,19 @@
         group: "root"
       loop:
         - "nfs_timeout_notification.service"
+        - "nfs_timeout_notification_stop.service"
+        - "nfs_timeout_notification_start.timer"
+        - "nfs_timeout_notification_stop.timer"
       notify: daemon-reload
 
-    - name: install NFS monitoring services (3/3) - enable service
+    - name: install NFS monitoring services (3/3) - enable services & timers
       ansible.builtin.systemd_service:
         name: "{{ item.name }}"
         enabled: "{{ item.enabled | default(true) }}"
         state: "{{ item.state | default('started') }}"
         daemon_reload: true
       loop:
-        - name: "nfs_timeout_notification.service"
+        - { name: "nfs_timeout_notification.service" }
+        - { name: "nfs_timeout_notification_stop.service", state: "stopped" }
+        - { name: "nfs_timeout_notification_start.timer" }
+        - { name: "nfs_timeout_notification_stop.timer" }
\ No newline at end of file

templates/usr/local/lib/systemd/system/nfs_timeout_notification_start.timer.j2

+[Unit]
+Description=timer for nfs_timeout_notification.service
+
+[Timer]
+# run on the 1st Tuesday of each month
+# You can validate your calendar expressions using `systemd-analyze calendar EXPR`.
+# Of course, the expression we use on our Debian systems won't work on the
+# jurassic RHEL versions of systemd 219, because the ".." syntax for timespans
+# in calendar events isn't supported yet. Instead, we have to use the older
+# syntax that explicitly lists all days separated by commas.
+# One more reason for RHEL to fuck ALL THE WAY OFF!
+# OnCalendar=Tue *-*-01..07 08:00:00    # NOT THIS on RHEL 7!
+OnCalendar=Tue *-*-01,02,03,04,05,06,07 15:00:00
+Unit=nfs_timeout_notification.service
+
+[Install]
+WantedBy=default.target

templates/usr/local/lib/systemd/system/nfs_timeout_notification_stop.service.j2

+[Unit]
+Description=stop monitor journal for NFS timeouts and notify staff
+After=remote-fs.target
+Conflicts=nfs_timeout_notification.service
+
+[Service]
+Type=simple
+Restart=no
+ExecStart=/usr/bin/true
+User={{ vault_nfs_timeout_notification_service.owner }}
+Group={{ vault_nfs_timeout_notification_service.group }}
+
+### Security features
+# documented at https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+# or at `man (5) systemd.exec`
+ProtectSystem=full
+ProtectHome=read-only
+#ProtectHostname=true
+#ProtectClock=true
+#ProtectKernelTunables=true
+#ProtectKernelModules=true
+#ProtectKernelLogs=true
+#ProtectControlGroups=true
+#LockPersonality=true
+#MemoryDenyWriteExecute=true
+#RestrictRealtime=true
+#RestrictSUIDSGID=true
+## RemoveIPC=true
+## PrivateMounts=true
+## MountFlags=
+## SystemCallFilter is a Whitelist!!!
+#SystemCallFilter=@debug,@file-system
+#SystemCallErrorNumber=1337
+
+[Install]
+WantedBy=multi-user.target

templates/usr/local/lib/systemd/system/nfs_timeout_notification_stop.timer.j2

+[Unit]
+Description=timer for nfs_timeout_notification_stop.service
+
+[Timer]
+# run on the 1st Tuesday of each month
+# You can validate your calendar expressions using `systemd-analyze calendar EXPR`.
+# Of course, the expression we use on our Debian systems won't work on the
+# jurassic RHEL versions of systemd 219, because the ".." syntax for timespans
+# in calendar events isn't supported yet. Instead, we have to use the older
+# syntax that explicitly lists all days separated by commas.
+# One more reason for RHEL to fuck ALL THE WAY OFF!
+# OnCalendar=Tue *-*-01..07 08:00:00    # NOT THIS on RHEL 7!
+OnCalendar=Tue *-*-01,02,03,04,05,06,07 07:55:00
+Unit=nfs_timeout_notification.service
+
+[Install]
+WantedBy=default.target