RedXen
/
ansible-systemd
Archived
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity
This repository has been archived on 2020-08-09. You can view files and clone it, but cannot push or open issues or pull requests.
ansible-systemd/templates/telegraf.service.j2

37 lines
938 B
Django/Jinja
Raw Permalink Blame History

[Unit]
StartLimitIntervalSec=0
[Service]
EnvironmentFile=
ExecStart=
ExecStart=/usr/bin/telegraf -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d
Restart=on-failure
RestartSec=10
ProtectSystem=strict
NoNewPrivileges=yes
TemporaryFileSystem=/:ro
BindReadOnlyPaths=/etc/telegraf /usr /lib /lib64 /proc /sys
{% if inventory_hostname == "n2" %}
BindReadOnlyPaths=/mnt/seedbox
{% endif %}
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
PrivateTmp=yes
PrivateDevices=yes
{% if inventory_hostname == "n1" %}
CapabilityBoundingSet=CAP_NET_ADMIN
AmbientCapabilities=CAP_NET_ADMIN
{% elif inventory_hostname == "n2" %}
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
AmbientCapabilities=CAP_DAC_READ_SEARCH
{% endif %}
Reference in New Issue View Git Blame Copy Permalink