BAMS initial project structure

configs/bams.service

@@ -0,0 +1,32 @@
+[Unit]
+Description=BAMS Backend Service
+Documentation=https://github.com/bams/bams
+After=network.target
+
+[Service]
+Type=simple
+User=bams
+Group=bams
+WorkingDirectory=/var/lib/bams
+ExecStart=/usr/local/bin/bams-backend
+Restart=on-failure
+RestartSec=5s
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=bams
+
+# Security settings
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/bams /etc/bams
+
+# Environment
+Environment="BAMS_CONFIG=/etc/bams/config.yaml"
+Environment="BAMS_PORT=8080"
+Environment="BAMS_LOG_LEVEL=info"
+
+[Install]
+WantedBy=multi-user.target
+

configs/config.yaml.example

@@ -0,0 +1,19 @@
+# BAMS Configuration File
+# Copy to /etc/bams/config.yaml and customize
+
+port: 8080
+log_level: info
+data_dir: /var/lib/bams
+
+# SCST configuration file path
+scst_config: /etc/scst.conf
+
+# Bacula Storage Daemon configuration path
+bacula_config: /etc/bacula/bacula-sd.conf
+
+# Security settings
+security:
+  require_https: false
+  allowed_users: []
+  # Example: allowed_users: ["admin", "operator"]
+

configs/polkit.rules

@@ -0,0 +1,20 @@
+// Polkit rules for BAMS privileged operations
+// Place in /etc/polkit-1/rules.d/50-bams.rules
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "com.bams.disk.create" ||
+        action.id == "com.bams.disk.delete" ||
+        action.id == "com.bams.iscsi.modify" ||
+        action.id == "com.bams.bacula.restart") {
+        if (subject.isInGroup("bams-admin")) {
+            return polkit.Result.YES;
+        }
+    }
+    if (action.id == "com.bams.tape.operate" ||
+        action.id == "com.bams.bacula.inventory") {
+        if (subject.isInGroup("bams-admin") || subject.isInGroup("bams-operator")) {
+            return polkit.Result.YES;
+        }
+    }
+});
+