node_exporter: Fix Systemd ProtectHome option in service unit

Fixes an issue with the jinja2 snippet which is used to create the node_exporter Systemd unit. More details here: #13

Jinja2 namespaces are used to ensure the variable `protect_home` can be set in the parent scope of the `for` loop looking through the mounts.

Signed-off-by: Kevin Bowrin <kevinbowrin@cunet.carleton.ca>

roles/node_exporter/molecule/alternative/tests/test_alternative.py

@@ -23,6 +23,12 @@ def test_service(host):
     assert s.is_running
 
 
+def test_protecthome_property(host):
+    s = host.service("node_exporter")
+    p = s.systemd_properties
+    assert p.get("ProtectHome") == "yes"
+
+
 def test_socket(host):
     sockets = [
         "tcp://127.0.0.1:8080"

roles/node_exporter/molecule/default/tests/test_default.py

@@ -57,6 +57,12 @@ def test_service(host):
     assert s.is_running
 
 
+def test_protecthome_property(host):
+    s = host.service("node_exporter")
+    p = s.systemd_properties
+    assert p.get("ProtectHome") == "yes"
+
+
 def test_socket(host):
     sockets = [
         "tcp://127.0.0.1:9100"

roles/node_exporter/molecule/latest/tests/test_alternative.py

@@ -25,6 +25,12 @@ def test_service(host):
     assert s.is_running
 
 
+def test_protecthome_property(host):
+    s = host.service("node_exporter")
+    p = s.systemd_properties
+    assert p.get("ProtectHome") == "yes"
+
+
 def test_socket(host):
     s = host.socket("tcp://0.0.0.0:9100")
     assert s.is_listening

roles/node_exporter/templates/node_exporter.service.j2

@@ -38,11 +38,11 @@ Restart=always
 RestartSec=1
 StartLimitInterval=0
 
-{% set protect_home = 'yes' %}
+{% set ns = namespace(protect_home = 'yes') %}
 {% for m in ansible_mounts if m.mount.startswith('/home') %}
-{%   set protect_home = 'read-only' %}
+{%   set ns.protect_home = 'read-only' %}
 {% endfor %}
-ProtectHome={{ protect_home }}
+ProtectHome={{ ns.protect_home }}
 NoNewPrivileges=yes
 
 {% if (ansible_facts.packages.systemd | first).version is version('232', '>=') %}