fix: remove unsupported systemd options

defaults/main.yml

@@ -113,7 +113,11 @@ prometheus_alert_rules:
     labels:
       severity: warning
     annotations:
-      description: "This is an alert meant to ensure that the entire alerting pipeline is functional.\nThis alert is always firing, therefore it should always be firing in Alertmanager\nand always fire against a receiver. There are integrations with various notification\nmechanisms that send a notification when this alert is not firing. For example the\n\"DeadMansSnitch\" integration in PagerDuty."
+      description: >-
+        This is an alert meant to ensure that the entire alerting pipeline is functional.
+        This alert is always firing, therefore it should always be firing in Alertmanager
+        and always fire against a receiver. There are integrations with various notification
+        mechanisms that send a notification when this alert is not firing.
       summary: "Ensure entire alerting pipeline is functional"
   - alert: InstanceDown
     expr: "up == 0"

molecule/centos7/molecule.yml

@@ -3,6 +3,7 @@ dependency:
   name: galaxy
   options:
     role-file: molecule/requirements.yml
+    requirements-file: molecule/requirements.yml
   env:
     ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
 driver:
@@ -18,5 +19,6 @@ provisioner:
   env:
     ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
     ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
+  log: False
 verifier:
   name: testinfra

tasks/setup.yml

@@ -27,11 +27,10 @@
         extra_opts:
           - --strip-components=1
         remote_src: yes
-        include:
+        exclude:
-          - prometheus-{{ prometheus_version }}.linux-amd64/consoles/
+          - prometheus-{{ prometheus_version }}.linux-amd64/LICENSE
-          - prometheus-{{ prometheus_version }}.linux-amd64/console_libraries/
+          - prometheus-{{ prometheus_version }}.linux-amd64/NOTICE
-          - prometheus-{{ prometheus_version }}.linux-amd64/prometheus
+          - prometheus-{{ prometheus_version }}.linux-amd64/prometheus.yml
-          - prometheus-{{ prometheus_version }}.linux-amd64/promtool
       notify: __prometheus_restart
   become: True
   become_user: "{{ prometheus_user }}"
@@ -48,8 +47,8 @@
       notify: __prometheus_reload
 
     - name: Copy prometheus web config file
-      copy:
+      template:
-        content: "{{ prometheus_web_config | to_nice_yaml(indent=2) }}"
+        src: "conf/web.yml.j2"
         dest: "{{ prometheus_config_dir }}/web.yml"
         owner: "{{ prometheus_user }}"
         group: "{{ prometheus_user }}"

templates/conf/web.yml.j2

@@ -0,0 +1,4 @@
+#jinja2: lstrip_blocks: True
+{{ ansible_managed | comment }}
+
+{{ prometheus_web_config | to_nice_yaml(indent=2) }}

templates/etc/systemd/system/prometheus.service.j2

@@ -34,16 +34,11 @@ ExecStart={{ prometheus_base_dir }}/prometheus \
 {% endfor %}
   --config.file={{ prometheus_config_dir }}/prometheus.yml
 
-CapabilityBoundingSet=CAP_SET_UID
 LimitNOFILE=65000
-LockPersonality=true
 NoNewPrivileges=true
-MemoryDenyWriteExecute=true
 PrivateDevices=true
 PrivateTmp=true
 ProtectHome=true
-RemoveIPC=true
-RestrictSUIDSGID=true
 
 ReadWriteDirectories={{ prometheus_data_dir }}
 {% for path in prometheus_read_only_dirs %}