Add back grafana and telegraf, add daemon reload notifier for overrides

handlers/main.yml

@@ -1,3 +1,6 @@
+- name: Reload daemon
+  systemd:
+        daemon_reload: true
 - name: Run service actions
   loop: "{{ systemd.services }}"
   systemd:

tasks/main.yml

@@ -14,7 +14,9 @@
         follow: yes
         src: "{{ item }}.service.j2"
         dest: "/etc/systemd/system/{{ item }}.service.d/override.conf"
-  notify: Run service actions
+  notify:
+        - Reload daemon
+        - Run service actions
   when: (systemd.overrides| default([])) | length
   tags:
         - systemd

templates/grafana-server.service.j2

@@ -0,0 +1,21 @@
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/grafana-server --config=/etc/grafana/grafana.ini --pidfile=/run/grafana-server.pid --packaging=deb cfg:default.paths.logs=/var/log/grafana
+# TODO: Store or provision a set of plugins, prefferably the latter
+
+ProtectSystem=strict
+PrivateUsers=true
+NoNewPrivileges=yes
+TemporaryFileSystem=/:ro
+BindReadOnlyPaths=/etc/grafana /usr /lib /lib64
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+PrivateTmp=yes
+PrivateDevices=yes

templates/telegraf.service.j2

@@ -0,0 +1,17 @@
+[Service]
+ProtectSystem=strict
+PrivateUsers=true
+NoNewPrivileges=yes
+TemporaryFileSystem=/:ro
+BindReadOnlyPaths=/etc/telegraf /usr /lib /lib64 /proc /sys
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+PrivateTmp=yes
+PrivateDevices=yes