From aca942856c1fef9db606059f8276f20152276448 Mon Sep 17 00:00:00 2001
From: surtur <a_mirre@utb.cz>
Date: Tue, 22 Mar 2022 14:12:32 +0100
Subject: [PATCH] add systemd config files

---
 etc/systemd/system/grafana.service            | 39 +++++++++++++++++++
 .../system/grafana.service.d/override.conf    |  4 ++
 2 files changed, 43 insertions(+)
 create mode 100644 etc/systemd/system/grafana.service
 create mode 100644 etc/systemd/system/grafana.service.d/override.conf

diff --git a/etc/systemd/system/grafana.service b/etc/systemd/system/grafana.service
new file mode 100644
index 0000000..f6c30a6
--- /dev/null
+++ b/etc/systemd/system/grafana.service
@@ -0,0 +1,39 @@
+# /etc/systemd/system/grafana.service
+[Unit]
+Description=Grafana
+After=nginx.service docker.service
+
+[Service]
+Delegate=no
+; Restart=on-failure
+Restart=always
+RestartSec=10
+ExecStart=/usr/bin/docker-compose -p grafana -f /etc/grafana/docker-compose.yml up
+ExecStop=/usr/bin/docker-compose -p grafana -f /etc/grafana/docker-compose.yml stop
+
+CapabilityBoundingSet=
+SystemCallFilter=~memfd_create
+ProtectProc=invisible
+ProtectHome=true
+RestrictNamespaces=uts ipc pid user cgroup
+NoNewPrivileges=True
+#SecureBits=noroot-locked
+ProtectSystem=strict
+DevicePolicy=closed
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
diff --git a/etc/systemd/system/grafana.service.d/override.conf b/etc/systemd/system/grafana.service.d/override.conf
new file mode 100644
index 0000000..7b8d76c
--- /dev/null
+++ b/etc/systemd/system/grafana.service.d/override.conf
@@ -0,0 +1,4 @@
+# /etc/systemd/system/grafana.service.d/override.conf
+# grafana service override
+[Unit]
+OnFailure=status_email_wanderer@%n