Changes ...

- Deprecate palhm-dnssec-check.sh
- Merge  check-dnssec and boot-report config into the sample config
- Add crontab sample
- Reduce Python requirement to 3.5
  - Remove use of capture_output
- boot-report: remove systemd-analyze as the command is not available
  during boot time
- Change config schema
  - "object-groups" and "objects" are now optional
  - Change "boot-report" include behaviour

6 files changed, 57 insertions, 11 deletions

diff --git a/src/conf/crontab b/src/conf/crontab
new file mode 100644
index 0000000..35f52ce
--- /dev/null
+++ b/src/conf/crontab
@@ -0,0 +1,6 @@
+# PALHM will produce stderr on exception. Mail the output to root
+MAILTO="root"
+# Run default task every Sunday at midnight
+0  0  *  *  sun root /var/lib/PALHM/src/palhm.py -q run
+# Check dnssec validity every hour
+# 0  *  *  *  *   root systemd-run -qP -p Nice=15 -p ProtectSystem=strict -p ReadOnlyPaths=/ -p PrivateDevices=true --wait /var/lib/PALHM/src/palhm.py -q run check-dnssec
diff --git a/src/conf/palhm-boot-report.service b/src/conf/palhm-boot-report.service
index 288aabd..37a4e61 100644
--- a/src/conf/palhm-boot-report.service
+++ b/src/conf/palhm-boot-report.service
@@ -6,9 +6,7 @@ After=postfix.service sendmail.service exim.service
 Type=oneshot
 ExecStart=/var/lib/PALHM/src/palhm.py -q boot-report
 Nice=10
-ProtectSystem=strict
-ReadOnlyPaths=/
-PrivateDevices=true
+User=palhm
 
 [Install]
 WantedBy=multi-user.target
diff --git a/src/conf/py-debug/palhm.jsonc b/src/conf/py-debug/palhm.jsonc
index fb68baf..c40e201 120000
--- a/src/conf/py-debug/palhm.jsonc
+++ b/src/conf/py-debug/palhm.jsonc
@@ -1 +1 @@
-aws.jsonc
\ No newline at end of file
+../py-sample/sample.jsonc
\ No newline at end of file
diff --git a/src/conf/py-sample/boot-report.jsonc b/src/conf/py-sample/boot-report.jsonc
deleted file mode 100644
index dd9d606..0000000
--- a/src/conf/py-sample/boot-report.jsonc
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-	"boot-report": {
-		// "mua": "stdout",
-		"mua": "mailx",
-		"mail-to": [ "root" ]
-	}
-}
diff --git a/src/conf/py-sample/conf.d/core.json b/src/conf/py-sample/conf.d/core.json
index 46d3feb..7145eae 100644
--- a/src/conf/py-sample/conf.d/core.json
+++ b/src/conf/py-sample/conf.d/core.json
@@ -36,6 +36,18 @@
 		{
 			"id": "os-release",
 			"argv": [ "/bin/cat", "/etc/os-release" ]
+		},
+		{
+			"id": "dig-dnssec",
+			"argv": [ "/bin/dig", "+short", "+dnssec", "+notcp" ]
+		},
+		{
+			"id": "grep-any",
+			"argv": [ "/bin/grep", "." ]
+		},
+		{
+			"id": "null-stdout-sink",
+			"argv": [ "/bin/cp", "/dev/stdin", "/dev/null" ]
 		}
 	]
 }
diff --git a/src/conf/py-sample/sample.jsonc b/src/conf/py-sample/sample.jsonc
index f1c4501..0da72a6 100644
--- a/src/conf/py-sample/sample.jsonc
+++ b/src/conf/py-sample/sample.jsonc
@@ -3,6 +3,16 @@
 	// "modules": [ "aws" ],
 	"nb-workers": 0,
 	// "vl": 4,
+	"boot-report": {
+		// "mua": "stdout",
+		"mua": "mailx",
+		"mail-to": [ "root" ]
+		// "subject": "Custom Boot Report Subject from {hostname}",
+		// "header": "Custom header content with {hostname} substitution."
+		// "uptime-since": true,
+		// "uptime": true,
+		// "bootid": true
+	},
 	"tasks": [
 		{
 			"id": "backup",
@@ -115,6 +125,33 @@
 			]
 		},
 		{
+			"id": "check-dnssec",
+			"type": "backup",
+			"backend": "null",
+			"objects": [
+				{
+					"path": "example.com", // Placeholder
+					"pipeline": [
+						/*
+						* Check if dig can query the record with the DNSSEC
+						* validation flag. Empty stdout with zero return code
+						* means SERVFAIL.
+						*/
+						{
+							"type": "exec-append",
+							"exec-id": "dig-dnssec",
+							"argv": [ "ANY", "example.com" ]
+						},
+						/*
+						* Trap for empty dig output grep will return non-zero if
+						* dig have not produced any output
+						*/
+						{ "type": "exec", "exec-id": "grep-any" }
+					]
+				}
+			]
+		},
+		{
 			"id": "default",
 			"type": "routine",
 			"routine": [