app-admin/vault: increase max open files

See: https://learn.hashicorp.com/vault/operations/ops-deployment-guide#step-3-configure-systemd
Package-Manager: Portage-2.3.69, Repoman-2.3.16
Copyright: Sony Interactive Entertainment Inc.
Signed-off-by: Zac Medico <zmedico@gentoo.org>

2 files changed, 21 insertions, 7 deletions

diff --git a/app-admin/vault/files/vault.initd b/app-admin/vault/files/vault.initd
index d430bb8d39a9..e4bd3e7c13d0 100644
--- a/app-admin/vault/files/vault.initd
+++ b/app-admin/vault/files/vault.initd
@@ -1,10 +1,11 @@
 #!/sbin/openrc-run
-# Copyright 2015-2017 Gentoo Foundation
+# Copyright 2015-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 description="vault server"
 group=${group:-${RC_SVCNAME}}
 pidfile=${pidfile:-"/run/${RC_SVCNAME}.pid"}
+rc_ulimit=${rc_ulimit-"-n 65536"}
 user=${user:-${RC_SVCNAME}}
 
 command="/usr/bin/${RC_SVCNAME}"
diff --git a/app-admin/vault/files/vault.service b/app-admin/vault/files/vault.service
index 3071d0346277..939d8cafc24e 100644
--- a/app-admin/vault/files/vault.service
+++ b/app-admin/vault/files/vault.service
@@ -4,15 +4,28 @@ Requires=network-online.target
 After=network-online.target
 
 [Service]
-User=vault
 Environment=VAULT_SERVER_OPTS="-config=/etc/vault.d"
-ExecStart=/usr/bin/vault server $VAULT_SERVER_OPTS
-CapabilityBoundingSet=CAP_IPC_LOCK
-AmbientCapabilities=CAP_IPC_LOCK
-Capabilities=CAP_IPC_LOCK=ep
+User=vault
+Group=vault
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+PrivateDevices=yes
 SecureBits=keep-caps
+AmbientCapabilities=CAP_IPC_LOCK
+Capabilities=CAP_IPC_LOCK+ep
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+NoNewPrivileges=yes
+ExecStart=/usr/bin/vault server $VAULT_SERVER_OPTS
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillMode=process
+KillSignal=SIGINT
 Restart=on-failure
-SuccessExitStatus=2
+RestartSec=5
+TimeoutStopSec=30
+StartLimitIntervalSec=60
+StartLimitBurst=3
+LimitNOFILE=65536
 
 [Install]
 WantedBy=default.target