Merge pull request #120 from m-rtijn/improve-systemd-service-file

Improve systemd unit file security and fix debian packaging

.goreleaser.yml

@@ -75,8 +75,7 @@ nfpms:
       - apk
     conflicts:
       - prometheus-mqtt-exporter
-    scripts:
-      postinstall: systemd/postinstall.sh
+    bindir: /usr/bin
     contents:
       # Simple config file
       - src: config.yaml.dist
@@ -85,6 +84,9 @@ nfpms:
       - src: ./systemd/mqtt2prometheus.service
         dst: /etc/systemd/system/mqtt2prometheus.service
         type: config
+      - src: ./systemd/mqtt2prometheus
+        dst: /etc/default/mqtt2prometheus
+        type: config
 
 
 dockers:

systemd/mqtt2prometheus

@@ -0,0 +1,4 @@
+# Command line options for mqtt2prometheus.service
+# See also /etc/mqtt2prometheus/config.yaml
+
+ARGS="-config /etc/mqtt2prometheus/config.yaml"

systemd/mqtt2prometheus.service

@@ -1,15 +1,47 @@
 [Unit]
 Description=Simple translator from mqtt messages to prometheus. Analog to pushgateway
 Documentation=https://github.com/hikhvar/mqtt2prometheus
+After=network.target
 Before=prometheus.service
 
 [Service]
 Restart=always
-User=mqtt2prometheus
-EnvironmentFile=/etc/default/prometheus-mqtt-exporter
-ExecStart=/opt/mqtt2prometheus/mqtt2prometheus -config /etc/mqtt2prometheus/config.yaml $ARGS
+EnvironmentFile=/etc/default/mqtt2prometheus
+ExecStart=/usr/bin/mqtt2prometheus $ARGS
 TimeoutStopSec=20s
 
+# Extra security hardening options
+# See systemd.exec(5) for more information regarding these options.
+
+# Empty because mqtt2prometheus does not require any special capability. See capabilities(7) for more information.
+CapabilityBoundingSet=
+DynamicUser=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+UMask=077
+
+# See systemd.resource-control(5) for more information
+#IPAddressAllow=127.0.0.0/8
+#IPAddressDeny=any # the allow-list is evaluated before the deny list. Since the default is to allow, we need to deny everything.
 
 [Install]
 WantedBy=multi-user.target

systemd/postinstall.sh

@@ -1,6 +0,0 @@
-#!/bin/sh
-
-user=mqtt2prometheus
-if ! getent passwd "${user}" > /dev/null; then
-    useradd --system --home-dir /var/lib/${user} --no-create-home || true
-fi