From f1075f125d8294b426dca90795bc775e5ecc75af Mon Sep 17 00:00:00 2001
From: nd <git@notandy.de>
Date: Sat, 4 Dec 2021 00:12:07 +0100
Subject: [PATCH] jail service

---
 debian/conffiles                    |  1 +
 prometheus-hcloud-exporter@.service | 30 ++++++++++++++++++++++++++++-
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 debian/conffiles

diff --git a/debian/conffiles b/debian/conffiles
new file mode 100644
index 0000000..9617f9d
--- /dev/null
+++ b/debian/conffiles
@@ -0,0 +1 @@
+#/etc/prometheus-hcloud-exporter/
diff --git a/prometheus-hcloud-exporter@.service b/prometheus-hcloud-exporter@.service
index 96c4125..fed4be0 100644
--- a/prometheus-hcloud-exporter@.service
+++ b/prometheus-hcloud-exporter@.service
@@ -1,9 +1,37 @@
 [Unit]
 Description=Prometheus exporter for hetzner cloud metrics
+After=network.target
 
 [Service]
+
 Restart=always
-DynamicUser=yes
+RestartSec=10
+
+DynamicUser=true
+PrivateUsers=true
+CapabilityBoundingSet=
+NoNewPrivileges=true
+RemoveIPC=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectClock=true
+ProtectHostname=true
+ProtectProc=noaccess
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+MemoryDenyWriteExecute=true
+
 EnvironmentFile=/etc/prometheus-hcloud-exporter/%i.env
 ExecStart=/usr/bin/prometheus-hcloud-exporter $ARGS
 ExecReload=/bin/kill -HUP $MAINPID
-- 
GitLab