mirror of
https://github.com/hikhvar/mqtt2prometheus.git
synced 2026-02-14 09:59:52 +00:00
Improve systemd unit file security and fix debian packaging
This commit is contained in:
Martijn
@@ -75,8 +75,7 @@ nfpms:
|
|||||||
- apk
|
- apk
|
||||||
conflicts:
|
conflicts:
|
||||||
- prometheus-mqtt-exporter
|
- prometheus-mqtt-exporter
|
||||||
scripts:
|
bindir: /usr/bin
|
||||||
postinstall: systemd/postinstall.sh
|
|
||||||
contents:
|
contents:
|
||||||
# Simple config file
|
# Simple config file
|
||||||
- src: config.yaml.dist
|
- src: config.yaml.dist
|
||||||
@@ -85,6 +84,9 @@ nfpms:
|
|||||||
- src: ./systemd/mqtt2prometheus.service
|
- src: ./systemd/mqtt2prometheus.service
|
||||||
dst: /etc/systemd/system/mqtt2prometheus.service
|
dst: /etc/systemd/system/mqtt2prometheus.service
|
||||||
type: config
|
type: config
|
||||||
|
- src: ./systemd/mqtt2prometheus
|
||||||
|
dst: /etc/default/mqtt2prometheus
|
||||||
|
type: config
|
||||||
|
|
||||||
|
|
||||||
dockers:
|
dockers:
|
||||||
|
|||||||
4
systemd/mqtt2prometheus
Normal file
4
systemd/mqtt2prometheus
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
# Command line options for mqtt2prometheus.service
|
||||||
|
# See also /etc/mqtt2prometheus/config.yaml
|
||||||
|
|
||||||
|
ARGS="-config /etc/mqtt2prometheus/config.yaml"
|
||||||
@@ -1,15 +1,47 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Simple translator from mqtt messages to prometheus. Analog to pushgateway
|
Description=Simple translator from mqtt messages to prometheus. Analog to pushgateway
|
||||||
Documentation=https://github.com/hikhvar/mqtt2prometheus
|
Documentation=https://github.com/hikhvar/mqtt2prometheus
|
||||||
|
After=network.target
|
||||||
Before=prometheus.service
|
Before=prometheus.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Restart=always
|
Restart=always
|
||||||
User=mqtt2prometheus
|
EnvironmentFile=/etc/default/mqtt2prometheus
|
||||||
EnvironmentFile=/etc/default/prometheus-mqtt-exporter
|
ExecStart=/usr/bin/mqtt2prometheus $ARGS
|
||||||
ExecStart=/opt/mqtt2prometheus/mqtt2prometheus -config /etc/mqtt2prometheus/config.yaml $ARGS
|
|
||||||
TimeoutStopSec=20s
|
TimeoutStopSec=20s
|
||||||
|
|
||||||
|
# Extra security hardening options
|
||||||
|
# See systemd.exec(5) for more information regarding these options.
|
||||||
|
|
||||||
|
# Empty because mqtt2prometheus does not require any special capability. See capabilities(7) for more information.
|
||||||
|
CapabilityBoundingSet=
|
||||||
|
DynamicUser=true
|
||||||
|
LockPersonality=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
NoNewPrivileges=true
|
||||||
|
PrivateDevices=true
|
||||||
|
PrivateTmp=true
|
||||||
|
PrivateUsers=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectSystem=strict
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
|
RestrictNamespaces=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
SystemCallErrorNumber=EPERM
|
||||||
|
SystemCallFilter=@system-service
|
||||||
|
UMask=077
|
||||||
|
|
||||||
|
# See systemd.resource-control(5) for more information
|
||||||
|
#IPAddressAllow=127.0.0.0/8
|
||||||
|
#IPAddressDeny=any # the allow-list is evaluated before the deny list. Since the default is to allow, we need to deny everything.
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|||||||
@@ -1,6 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
user=mqtt2prometheus
|
|
||||||
if ! getent passwd "${user}" > /dev/null; then
|
|
||||||
useradd --system --home-dir /var/lib/${user} --no-create-home || true
|
|
||||||
fi
|
|
||||||
Reference in New Issue
Block a user