increase systemd service security

tasks/preflight.yml

@@ -4,6 +4,18 @@
     that: ansible_service_mgr == 'systemd'
     msg: "This role only works with systemd"
 
+- name: Get systemd version
+  command: systemctl --version
+  changed_when: false
+  check_mode: false
+  register: __systemd_version
+  tags:
+    - skip_ansible_lint
+
+- name: Set systemd version fact
+  set_fact:
+    blackbox_exporter_systemd_version: "{{ __systemd_version.stdout_lines[0].split(' ')[-1] }}"
+
 - name: Naive assertion of proper listen address
   assert:
     that:

templates/blackbox_exporter.service.j2

@@ -3,6 +3,7 @@
 Description=Blackbox Exporter
 After=network-online.target
 StartLimitInterval=0
+StartLimitIntervalSec=0
 
 [Service]
 Type=simple
@@ -19,7 +20,26 @@ ExecStart=/usr/local/bin/blackbox_exporter \
 SyslogIdentifier=blackbox_exporter
 KillMode=process
 Restart=always
-RestartSec=1
+RestartSec=5
+
+CapabilityBoundingSet=CAP_SET_UID
+LockPersonality=true
+NoNewPrivileges=true
+MemoryDenyWriteExecute=true
+PrivateTmp=true
+ProtectHome=true
+RemoveIPC=true
+RestrictSUIDSGID=true
+
+{% if blackbox_exporter_systemd_version | int >= 232 %}
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=yes
+ProtectSystem=strict
+{% else %}
+ProtectSystem=full
+{% endif %}
 
 [Install]
 WantedBy=multi-user.target