From 7a7e76a735b7ab9ab1797a0b123cc4e8b193e87b Mon Sep 17 00:00:00 2001
From: SuperQ <superq@gmail.com>
Date: Fri, 4 Aug 2023 14:50:54 +0200
Subject: [PATCH] fix(node_exporter): Fix ProtectHome for textfiles

Set the node_exporter `ProtectHome=read-only` when the textfile dir is
in `/home`.

Fixes: https://github.com/prometheus-community/ansible/issues/183

Signed-off-by: SuperQ <superq@gmail.com>
---
 roles/node_exporter/molecule/latest/converge.yml      |  1 +
 .../tests/{test_alternative.py => test_latest.py}     | 11 ++++++++++-
 .../node_exporter/templates/node_exporter.service.j2  |  3 +++
 3 files changed, 14 insertions(+), 1 deletion(-)
 rename roles/node_exporter/molecule/latest/tests/{test_alternative.py => test_latest.py} (78%)

diff --git a/roles/node_exporter/molecule/latest/converge.yml b/roles/node_exporter/molecule/latest/converge.yml
index 020438535..049f022e2 100644
--- a/roles/node_exporter/molecule/latest/converge.yml
+++ b/roles/node_exporter/molecule/latest/converge.yml
@@ -6,3 +6,4 @@
     - prometheus.prometheus.node_exporter
   vars:
     node_exporter_version: latest
+    node_exporter_textfile_dir: "/home/node_exporter"
diff --git a/roles/node_exporter/molecule/latest/tests/test_alternative.py b/roles/node_exporter/molecule/latest/tests/test_latest.py
similarity index 78%
rename from roles/node_exporter/molecule/latest/tests/test_alternative.py
rename to roles/node_exporter/molecule/latest/tests/test_latest.py
index f2636ecd9..7a02b96b3 100644
--- a/roles/node_exporter/molecule/latest/tests/test_alternative.py
+++ b/roles/node_exporter/molecule/latest/tests/test_latest.py
@@ -19,6 +19,15 @@ def test_files(host, files):
     assert f.is_file
 
 
+def test_directories(host):
+    dirs = [
+        "/home/node_exporter"
+    ]
+    for dir in dirs:
+        d = host.file(dir)
+        assert d.is_directory
+        assert d.exists
+
 def test_service(host):
     s = host.service("node_exporter")
     # assert s.is_enabled
@@ -28,7 +37,7 @@ def test_service(host):
 def test_protecthome_property(host):
     s = host.service("node_exporter")
     p = s.systemd_properties
-    assert p.get("ProtectHome") == "yes"
+    assert p.get("ProtectHome") == "read-only"
 
 
 def test_socket(host):
diff --git a/roles/node_exporter/templates/node_exporter.service.j2 b/roles/node_exporter/templates/node_exporter.service.j2
index e68535556..36c450347 100644
--- a/roles/node_exporter/templates/node_exporter.service.j2
+++ b/roles/node_exporter/templates/node_exporter.service.j2
@@ -42,6 +42,9 @@ StartLimitInterval=0
 {% for m in ansible_mounts if m.mount.startswith('/home') %}
 {%   set ns.protect_home = 'read-only' %}
 {% endfor %}
+{% if node_exporter_textfile_dir.startswith('/home') %}
+{%   set ns.protect_home = 'read-only' %}
+{% endif %}
 ProtectHome={{ ns.protect_home }}
 NoNewPrivileges=yes