From f1075f125d8294b426dca90795bc775e5ecc75af Mon Sep 17 00:00:00 2001 From: nd <git@notandy.de> Date: Sat, 4 Dec 2021 00:12:07 +0100 Subject: [PATCH] jail service --- debian/conffiles | 1 + prometheus-hcloud-exporter@.service | 30 ++++++++++++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 debian/conffiles diff --git a/debian/conffiles b/debian/conffiles new file mode 100644 index 0000000..9617f9d --- /dev/null +++ b/debian/conffiles @@ -0,0 +1 @@ +#/etc/prometheus-hcloud-exporter/ diff --git a/prometheus-hcloud-exporter@.service b/prometheus-hcloud-exporter@.service index 96c4125..fed4be0 100644 --- a/prometheus-hcloud-exporter@.service +++ b/prometheus-hcloud-exporter@.service @@ -1,9 +1,37 @@ [Unit] Description=Prometheus exporter for hetzner cloud metrics +After=network.target [Service] + Restart=always -DynamicUser=yes +RestartSec=10 + +DynamicUser=true +PrivateUsers=true +CapabilityBoundingSet= +NoNewPrivileges=true +RemoveIPC=true +LockPersonality=true +ProtectControlGroups=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectClock=true +ProtectHostname=true +ProtectProc=noaccess +RestrictRealtime=true +RestrictSUIDSGID=true +RestrictNamespaces=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +MemoryDenyWriteExecute=true + EnvironmentFile=/etc/prometheus-hcloud-exporter/%i.env ExecStart=/usr/bin/prometheus-hcloud-exporter $ARGS ExecReload=/bin/kill -HUP $MAINPID -- GitLab