Add restarts and stricter sandbox. Add influx

This commit is contained in:
Alex 2020-05-16 23:41:11 +02:00
parent 71d3ade3bb
commit 3d24de992d
Signed by: caskd
GPG Key ID: F92BA85F61F4C173
2 changed files with 34 additions and 1 deletions

View File

@ -1,16 +1,23 @@
[Unit]
StartLimitIntervalSec=0
[Service]
User=nobody
Group=nogroup
Restart=always
RestartSec=10
Environment=
Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy/haproxy.pid"
ProtectHome=true
ProtectSystem=true
ProtectSystem=strict
PrivateTmp=yes
PrivateDevices=yes
RuntimeDirectory=haproxy
SecureBits=noroot
NoNewPrivileges=true
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes

View File

@ -0,0 +1,26 @@
[Unit]
StartLimitIntervalSec=0
[Service]
Restart=always
RestartSec=10
# TODO: Add mounts
TemporaryFileSystem=/:ro
BindReadOnlyPaths=/etc/influxdb /usr /lib /lib64
SecureBits=noroot
ProtectSystem=strict
PrivateUsers=true
NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
PrivateTmp=yes
PrivateDevices=yes