From be0a877b00d8ce8026aebaabcaafacc27cdbb0b5 Mon Sep 17 00:00:00 2001
From: Kevin Bowrin <kevinbowrin@cunet.carleton.ca>
Date: Wed, 3 May 2023 12:44:57 -0400
Subject: [PATCH] node_exporter: Fix Systemd ProtectHome option in service unit

Fixes an issue with the jinja2 snippet which is used to create the node_exporter Systemd unit. More details here: https://github.com/prometheus-community/ansible/issues/13

Jinja2 namespaces are used to ensure the variable `protect_home` can be set in the parent scope of the `for` loop looking through the mounts.

Signed-off-by: Kevin Bowrin <kevinbowrin@cunet.carleton.ca>
---
 .../molecule/alternative/tests/test_alternative.py          | 6 ++++++
 roles/node_exporter/molecule/default/tests/test_default.py  | 6 ++++++
 .../node_exporter/molecule/latest/tests/test_alternative.py | 6 ++++++
 roles/node_exporter/templates/node_exporter.service.j2      | 6 +++---
 4 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/roles/node_exporter/molecule/alternative/tests/test_alternative.py b/roles/node_exporter/molecule/alternative/tests/test_alternative.py
index 297bf5b9b..92c153af8 100644
--- a/roles/node_exporter/molecule/alternative/tests/test_alternative.py
+++ b/roles/node_exporter/molecule/alternative/tests/test_alternative.py
@@ -23,6 +23,12 @@ def test_service(host):
     assert s.is_running
 
 
+def test_protecthome_property(host):
+    s = host.service("node_exporter")
+    p = s.systemd_properties
+    assert p.get("ProtectHome") == "yes"
+
+
 def test_socket(host):
     sockets = [
         "tcp://127.0.0.1:8080"
diff --git a/roles/node_exporter/molecule/default/tests/test_default.py b/roles/node_exporter/molecule/default/tests/test_default.py
index cb9bf2e30..bb11310ff 100644
--- a/roles/node_exporter/molecule/default/tests/test_default.py
+++ b/roles/node_exporter/molecule/default/tests/test_default.py
@@ -57,6 +57,12 @@ def test_service(host):
     assert s.is_running
 
 
+def test_protecthome_property(host):
+    s = host.service("node_exporter")
+    p = s.systemd_properties
+    assert p.get("ProtectHome") == "yes"
+
+
 def test_socket(host):
     sockets = [
         "tcp://127.0.0.1:9100"
diff --git a/roles/node_exporter/molecule/latest/tests/test_alternative.py b/roles/node_exporter/molecule/latest/tests/test_alternative.py
index 11e26ddfb..f2636ecd9 100644
--- a/roles/node_exporter/molecule/latest/tests/test_alternative.py
+++ b/roles/node_exporter/molecule/latest/tests/test_alternative.py
@@ -25,6 +25,12 @@ def test_service(host):
     assert s.is_running
 
 
+def test_protecthome_property(host):
+    s = host.service("node_exporter")
+    p = s.systemd_properties
+    assert p.get("ProtectHome") == "yes"
+
+
 def test_socket(host):
     s = host.socket("tcp://0.0.0.0:9100")
     assert s.is_listening
diff --git a/roles/node_exporter/templates/node_exporter.service.j2 b/roles/node_exporter/templates/node_exporter.service.j2
index 31b085586..e68535556 100644
--- a/roles/node_exporter/templates/node_exporter.service.j2
+++ b/roles/node_exporter/templates/node_exporter.service.j2
@@ -38,11 +38,11 @@ Restart=always
 RestartSec=1
 StartLimitInterval=0
 
-{% set protect_home = 'yes' %}
+{% set ns = namespace(protect_home = 'yes') %}
 {% for m in ansible_mounts if m.mount.startswith('/home') %}
-{%   set protect_home = 'read-only' %}
+{%   set ns.protect_home = 'read-only' %}
 {% endfor %}
-ProtectHome={{ protect_home }}
+ProtectHome={{ ns.protect_home }}
 NoNewPrivileges=yes
 
 {% if (ansible_facts.packages.systemd | first).version is version('232', '>=') %}