Lock down systemd service (#68)

To be on the safe side, restrict what the service can do.

Author: ecksun

tasks/preflight.yml

@@ -15,6 +15,14 @@
   when: item in node_exporter_enabled_collectors
   with_items: "{{ node_exporter_disabled_collectors }}"
 
+- name: Get systemd version
+  shell: systemctl --version | awk '$1 == "systemd" {print $2}'
+  changed_when: false
+  check_mode: false
+  register: node_exporter_systemd_version
+  tags:
+    - skip_ansible_lint
+
 - name: Get checksum list from github
   set_fact:
     _checksums: "{{ lookup('url', 'https://github.com/prometheus/node_exporter/releases/download/v' + node_exporter_version + '/sha256sums.txt', wantlist=True) | list }}"

templates/node_exporter.service.j2

@@ -27,5 +27,18 @@ ExecStart=/usr/local/bin/node_exporter \
 SyslogIdentifier=node_exporter
 Restart=always
 
+PrivateTmp=yes
+ProtectHome=yes
+NoNewPrivileges=yes
+
+{% if node_exporter_systemd_version.stdout | int >= 232 %}
+ProtectSystem=strict
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=yes
+{% else %}
+ProtectSystem=full
+{% endif %}
+
 [Install]
 WantedBy=multi-user.target