Add back grafana and telegraf, add daemon reload notifier for overrides

This commit is contained in:
Alex 2020-05-29 20:04:06 +02:00
parent af44cfba00
commit 806a6acd9d
Signed by: caskd
GPG Key ID: F92BA85F61F4C173
4 changed files with 44 additions and 1 deletions

View File

@ -1,3 +1,6 @@
- name: Reload daemon
systemd:
daemon_reload: true
- name: Run service actions
loop: "{{ systemd.services }}"
systemd:

View File

@ -14,7 +14,9 @@
follow: yes
src: "{{ item }}.service.j2"
dest: "/etc/systemd/system/{{ item }}.service.d/override.conf"
notify: Run service actions
notify:
- Reload daemon
- Run service actions
when: (systemd.overrides| default([])) | length
tags:
- systemd

View File

@ -0,0 +1,21 @@
[Service]
ExecStart=
ExecStart=/usr/sbin/grafana-server --config=/etc/grafana/grafana.ini --pidfile=/run/grafana-server.pid --packaging=deb cfg:default.paths.logs=/var/log/grafana
# TODO: Store or provision a set of plugins, prefferably the latter
ProtectSystem=strict
PrivateUsers=true
NoNewPrivileges=yes
TemporaryFileSystem=/:ro
BindReadOnlyPaths=/etc/grafana /usr /lib /lib64
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
PrivateTmp=yes
PrivateDevices=yes

View File

@ -0,0 +1,17 @@
[Service]
ProtectSystem=strict
PrivateUsers=true
NoNewPrivileges=yes
TemporaryFileSystem=/:ro
BindReadOnlyPaths=/etc/telegraf /usr /lib /lib64 /proc /sys
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
PrivateTmp=yes
PrivateDevices=yes