Add basis of the role

templates/scaphandre.service.j2

@@ -0,0 +1,55 @@
+[Unit]
+Description=Scaphandre
+Documentation=https://github.com/hubblo-org/scaphandre
+Wants=network.target
+After=network.target
+
+[Service]
+IPAddressAllow=localhost
+IPAddressDeny=any
+
+ExecStartPre=-+/usr/sbin/modprobe intel_rapl_common
+ExecStartPre=+/usr/bin/find /sys/devices/virtual/powercap -name energy_uj -exec chmod g+r -R {} + -exec chown root:powercap {} +
+ExecStart=scaphandre {{ scaphandre_exporter }} -a {{ scaphandre_exporter_web_listen_address }} -p {{ scaphandre_exporter_web_listen_port }} -s {{ scaphandre_web_telemetry_path }}
+
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+DevicePolicy=closed
+DynamicUser=yes
+Group=powercap
+IPAccounting=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+MemoryMax=100M
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SyslogIdentifier=scaphandre
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@keyring
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@resources
+SystemCallFilter=~@swap
+UMask=0777
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target