From 5203629648732eb390688f166cf32a4b305e2a3b Mon Sep 17 00:00:00 2001 From: Alex Date: Sun, 31 May 2020 11:59:12 +0200 Subject: [PATCH] Tweak monitoring and varnish start options --- templates/grafana-server.service.j2 | 4 +++- templates/influxdb.service.j2 | 1 - templates/telegraf.service.j2 | 5 ++++- templates/varnish.service.j2 | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/templates/grafana-server.service.j2 b/templates/grafana-server.service.j2 index 56f2f55..7ec8caa 100644 --- a/templates/grafana-server.service.j2 +++ b/templates/grafana-server.service.j2 @@ -1,6 +1,6 @@ [Service] ExecStart= -ExecStart=/usr/sbin/grafana-server --config=/etc/grafana/grafana.ini --pidfile=/run/grafana-server.pid --packaging=deb cfg:default.paths.logs=/var/log/grafana +ExecStart=/usr/sbin/grafana-server --config=/etc/grafana/grafana.ini --pidfile=/run/grafana/grafana-server.pid --packaging=deb cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/tmp/data cfg:default.paths.plugins=/tmp/plugins cfg:default.paths.provisioning=/tmp/provision # TODO: Store or provision a set of plugins, prefferably the latter ProtectSystem=strict @@ -8,6 +8,8 @@ PrivateUsers=true NoNewPrivileges=yes TemporaryFileSystem=/:ro BindReadOnlyPaths=/etc/grafana /usr /lib /lib64 +LogsDirectory=grafana +RuntimeDirectory=grafana ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes diff --git a/templates/influxdb.service.j2 b/templates/influxdb.service.j2 index 9690341..50a0581 100644 --- a/templates/influxdb.service.j2 +++ b/templates/influxdb.service.j2 @@ -10,7 +10,6 @@ TemporaryFileSystem=/:ro BindReadOnlyPaths=/etc/influxdb /usr /lib /lib64 BindPaths={{ influxdb.storage }} -SecureBits=noroot ProtectSystem=strict PrivateUsers=true NoNewPrivileges=yes diff --git a/templates/telegraf.service.j2 b/templates/telegraf.service.j2 index ae8dfa8..05c12fe 100644 --- a/templates/telegraf.service.j2 +++ b/templates/telegraf.service.j2 @@ -1,6 +1,9 @@ [Service] +EnvironmentFile= +ExecStart= +ExecStart=/usr/bin/telegraf -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d + ProtectSystem=strict -PrivateUsers=true NoNewPrivileges=yes TemporaryFileSystem=/:ro BindReadOnlyPaths=/etc/telegraf /usr /lib /lib64 /proc /sys diff --git a/templates/varnish.service.j2 b/templates/varnish.service.j2 index 4587264..57fac2c 100644 --- a/templates/varnish.service.j2 +++ b/templates/varnish.service.j2 @@ -1,3 +1,3 @@ [Service] ExecStart= -ExecStart=/usr/sbin/varnishd -F -a {{ varnish.frontend.sock }},user={{ varnish.frontend.user }},group={{ varnish.frontend.group }},mode={{ varnish.frontend.mode }} -j unix,user={{ varnish.jail.user }} -f /etc/varnish/default.vcl +ExecStart=/usr/sbin/varnishd -F -a {{ varnish.frontend.sock }},user={{ varnish.frontend.user }},group={{ varnish.frontend.group }},mode={{ varnish.frontend.mode }} -j unix,user={{ varnish.jail.user }} -f /etc/varnish/default.vcl -s malloc,256m