ansible-role-tomcat/templates/tomcat-service.j2

#
# Systemd unit file for Apache Tomcat
#

[Unit]
Description=Apache Tomcat {{ tomcat_version}} Web Application Server
After=syslog.target network.target
StartLimitIntervalSec=500
StartLimitBurst=5
RequiresMountsFor=/var/log/tomcat{{ tomcat_version }} /var/lib/tomcat{{ tomcat_version }}

[Service]
Environment="CATALINA_HOME=/usr/share/tomcat{{ tomcat_version }}"
Environment="CATALINA_BASE=/var/lib/tomcat{{ tomcat_version }}"
Environment="CATALINA_TMPDIR={{ tomcat_tmp_dir }}"
Environment="JAVA_OPTS=-Djava.awt.headless=true"

Type=simple
ExecStartPre=+/usr/libexec/tomcat{{ tomcat_version}}/tomcat-update-policy.sh
ExecStart=/bin/sh /usr/libexec/tomcat{{ tomcat_version }}/tomcat-start.sh
SuccessExitStatus=143
RestartSec=10
Restart=on-failure on-abort
# Logging
SyslogIdentifier=tomcat{{ tomcat_version }}

User={{ tomcat_user }}
Group={{ tomcat_user }}
{% if tomcat_systemd_security %}
PrivateTmp=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
CacheDirectory=tomcat{{ tomcat_version }}
CacheDirectoryMode=750
ProtectSystem=strict
ReadWritePaths=/etc/tomcat{{ tomcat_version }}/Catalina/
ReadWritePaths={{ tomcat_webapps_dir }}
ReadWritePaths={{ tomcat_logdir }}
{% endif %}
{% if tomcat_systemd_security_enhanced %}
ProtectSystem=strict
ProtectHome=yes
PrivateDevices=yes
PrivateUsers=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
RestrictAddressFamilies=AF_INET6 AF_INET
SystemCallArchitectures=native
SystemCallFilter=@system-service
{% endif %}

[Install]
WantedBy=multi-user.target