mirror of
https://github.com/hikhvar/mqtt2prometheus.git
synced 2026-02-14 09:59:52 +00:00
Improve systemd unit file security and fix debian packaging
This commit is contained in:
Martijn
@@ -75,8 +75,7 @@ nfpms:
|
||||
- apk
|
||||
conflicts:
|
||||
- prometheus-mqtt-exporter
|
||||
scripts:
|
||||
postinstall: systemd/postinstall.sh
|
||||
bindir: /usr/bin
|
||||
contents:
|
||||
# Simple config file
|
||||
- src: config.yaml.dist
|
||||
@@ -85,6 +84,9 @@ nfpms:
|
||||
- src: ./systemd/mqtt2prometheus.service
|
||||
dst: /etc/systemd/system/mqtt2prometheus.service
|
||||
type: config
|
||||
- src: ./systemd/mqtt2prometheus
|
||||
dst: /etc/default/mqtt2prometheus
|
||||
type: config
|
||||
|
||||
|
||||
dockers:
|
||||
|
||||
4
systemd/mqtt2prometheus
Normal file
4
systemd/mqtt2prometheus
Normal file
@@ -0,0 +1,4 @@
|
||||
# Command line options for mqtt2prometheus.service
|
||||
# See also /etc/mqtt2prometheus/config.yaml
|
||||
|
||||
ARGS="-config /etc/mqtt2prometheus/config.yaml"
|
||||
@@ -1,15 +1,47 @@
|
||||
[Unit]
|
||||
Description=Simple translator from mqtt messages to prometheus. Analog to pushgateway
|
||||
Documentation=https://github.com/hikhvar/mqtt2prometheus
|
||||
After=network.target
|
||||
Before=prometheus.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
User=mqtt2prometheus
|
||||
EnvironmentFile=/etc/default/prometheus-mqtt-exporter
|
||||
ExecStart=/opt/mqtt2prometheus/mqtt2prometheus -config /etc/mqtt2prometheus/config.yaml $ARGS
|
||||
EnvironmentFile=/etc/default/mqtt2prometheus
|
||||
ExecStart=/usr/bin/mqtt2prometheus $ARGS
|
||||
TimeoutStopSec=20s
|
||||
|
||||
# Extra security hardening options
|
||||
# See systemd.exec(5) for more information regarding these options.
|
||||
|
||||
# Empty because mqtt2prometheus does not require any special capability. See capabilities(7) for more information.
|
||||
CapabilityBoundingSet=
|
||||
DynamicUser=true
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
PrivateUsers=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=strict
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
SystemCallArchitectures=native
|
||||
SystemCallErrorNumber=EPERM
|
||||
SystemCallFilter=@system-service
|
||||
UMask=077
|
||||
|
||||
# See systemd.resource-control(5) for more information
|
||||
#IPAddressAllow=127.0.0.0/8
|
||||
#IPAddressDeny=any # the allow-list is evaluated before the deny list. Since the default is to allow, we need to deny everything.
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
@@ -1,6 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
user=mqtt2prometheus
|
||||
if ! getent passwd "${user}" > /dev/null; then
|
||||
useradd --system --home-dir /var/lib/${user} --no-create-home || true
|
||||
fi
|
||||
Reference in New Issue
Block a user