From 66595645a75aa24661e77109675bdcbacc9266d9 Mon Sep 17 00:00:00 2001
From: SuperQ <superq@gmail.com>
Date: Fri, 4 Aug 2023 14:50:54 +0200
Subject: [PATCH] fix(node_exporter): Fix ProtectHome for textfiles

Set the node_exporter `ProtectHome=read-only` when the textfile dir is
in `/home`.

Fixes: https://github.com/prometheus-community/ansible/issues/183

Signed-off-by: SuperQ <superq@gmail.com>
---
 .../tests/{test_alternative.py => test_latest.py}    | 12 +++++++++++-
 .../node_exporter/templates/node_exporter.service.j2 |  3 +++
 2 files changed, 14 insertions(+), 1 deletion(-)
 rename roles/node_exporter/molecule/latest/tests/{test_alternative.py => test_latest.py} (83%)

diff --git a/roles/node_exporter/molecule/latest/tests/test_alternative.py b/roles/node_exporter/molecule/latest/tests/test_latest.py
similarity index 83%
rename from roles/node_exporter/molecule/latest/tests/test_alternative.py
rename to roles/node_exporter/molecule/latest/tests/test_latest.py
index e2228d7ad..812280205 100644
--- a/roles/node_exporter/molecule/latest/tests/test_alternative.py
+++ b/roles/node_exporter/molecule/latest/tests/test_latest.py
@@ -19,6 +19,16 @@ def test_files(host, files):
     assert f.is_file
 
 
+def test_directories(host):
+    dirs = [
+        "/home/node_exporter"
+    ]
+    for dir in dirs:
+        d = host.file(dir)
+        assert d.is_directory
+        assert d.exists
+
+
 def test_service(host):
     s = host.service("node_exporter")
     try:
@@ -35,7 +45,7 @@ def test_service(host):
 def test_protecthome_property(host):
     s = host.service("node_exporter")
     p = s.systemd_properties
-    assert p.get("ProtectHome") == "yes"
+    assert p.get("ProtectHome") == "read-only"
 
 
 def test_socket(host):
diff --git a/roles/node_exporter/templates/node_exporter.service.j2 b/roles/node_exporter/templates/node_exporter.service.j2
index e68535556..36c450347 100644
--- a/roles/node_exporter/templates/node_exporter.service.j2
+++ b/roles/node_exporter/templates/node_exporter.service.j2
@@ -42,6 +42,9 @@ StartLimitInterval=0
 {% for m in ansible_mounts if m.mount.startswith('/home') %}
 {%   set ns.protect_home = 'read-only' %}
 {% endfor %}
+{% if node_exporter_textfile_dir.startswith('/home') %}
+{%   set ns.protect_home = 'read-only' %}
+{% endif %}
 ProtectHome={{ ns.protect_home }}
 NoNewPrivileges=yes