From f9bef9585657e6b4a55e628f524e3bad849f3196 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 2 Jul 2020 20:49:19 +0200 Subject: [PATCH] Allow telegram to snoop on seedbox files, monitor the seedbox and increase the backend size for varnish --- templates/haproxy.service.j2 | 4 ++-- templates/telegraf.service.j2 | 6 ++++++ templates/varnish.service.j2 | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/templates/haproxy.service.j2 b/templates/haproxy.service.j2 index 3d76d76..a243412 100644 --- a/templates/haproxy.service.j2 +++ b/templates/haproxy.service.j2 @@ -2,8 +2,8 @@ StartLimitIntervalSec=0 [Service] -User=varnish -Group=varnish +User={{ haproxy.user }} +Group={{ haproxy.group }} Restart=on-failure RestartSec=10 diff --git a/templates/telegraf.service.j2 b/templates/telegraf.service.j2 index aff888a..527feed 100644 --- a/templates/telegraf.service.j2 +++ b/templates/telegraf.service.j2 @@ -13,6 +13,9 @@ ProtectSystem=strict NoNewPrivileges=yes TemporaryFileSystem=/:ro BindReadOnlyPaths=/etc/telegraf /usr /lib /lib64 /proc /sys +{% if inventory_hostname == "n2" %} +BindReadOnlyPaths=/mnt/seedbox +{% endif %} ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes @@ -27,4 +30,7 @@ PrivateDevices=yes {% if inventory_hostname == "n1" %} CapabilityBoundingSet=CAP_NET_ADMIN AmbientCapabilities=CAP_NET_ADMIN +{% elif inventory_hostname == "n2" %} +CapabilityBoundingSet=CAP_DAC_READ_SEARCH +AmbientCapabilities=CAP_DAC_READ_SEARCH {% endif %} diff --git a/templates/varnish.service.j2 b/templates/varnish.service.j2 index be49fa6..371608f 100644 --- a/templates/varnish.service.j2 +++ b/templates/varnish.service.j2 @@ -8,4 +8,4 @@ RestartSec=10 CacheDirectory=varnish ExecStart= -ExecStart=/usr/sbin/varnishd -F -a {{ varnish.frontend.sock }},user={{ varnish.frontend.user }},group={{ varnish.frontend.group }},mode={{ varnish.frontend.mode }},PROXY -p feature=+http2 -p tcp_fastopen=on -j unix,user={{ varnish.jail.user }} -f /etc/varnish/default.vcl -s file,/var/cache/varnish/file,4G +ExecStart=/usr/sbin/varnishd -F -a {{ varnish.frontend.sock }},user={{ varnish.frontend.user }},group={{ varnish.frontend.group }},mode={{ varnish.frontend.mode }},PROXY -p feature=+http2 -p tcp_fastopen=on -j unix,user={{ varnish.jail.user }} -f /etc/varnish/default.vcl -s file,/var/cache/varnish/file,10G