From 8c834ee7d7ad864a177fa9cf9267fba16fecd2c0 Mon Sep 17 00:00:00 2001
From: Jeremie Fraeys <jfaeys@gmail.com>
Date: Fri, 6 Mar 2026 14:30:20 -0500
Subject: [PATCH] refactor(monitoring): update exporters, loki, and prometheus
 configs

- Update exporters docker-compose configuration
- Modify Loki templates for log aggregation
- Adjust Prometheus configuration and templates

Part of: Monitoring stack maintenance
---
 roles/exporters/templates/docker-compose.yml.j2  | 4 ++++
 roles/loki/templates/docker-compose.yml.j2       | 7 ++++++-
 roles/prometheus/templates/docker-compose.yml.j2 | 5 +++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/roles/exporters/templates/docker-compose.yml.j2 b/roles/exporters/templates/docker-compose.yml.j2
index 36562ae..07b3c25 100644
--- a/roles/exporters/templates/docker-compose.yml.j2
+++ b/roles/exporters/templates/docker-compose.yml.j2
@@ -9,6 +9,8 @@ services:
     networks:
       - internal
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
     labels:
       - com.centurylinklabs.watchtower.enable=true
 
@@ -22,6 +24,8 @@ services:
     networks:
       - internal
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
     labels:
       - com.centurylinklabs.watchtower.enable=true
 
diff --git a/roles/loki/templates/docker-compose.yml.j2 b/roles/loki/templates/docker-compose.yml.j2
index 379feb4..229b892 100644
--- a/roles/loki/templates/docker-compose.yml.j2
+++ b/roles/loki/templates/docker-compose.yml.j2
@@ -3,13 +3,18 @@ services:
     image: grafana/loki:3
     command: -config.file=/etc/loki/config.yml
     ports:
-      - "3100:3100"
+      - "127.0.0.1:3100:3100"
     volumes:
       - ./loki-config.yml:/etc/loki/config.yml:ro
       - loki_data:/loki
     networks:
       - monitoring
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=100m
     labels:
       - com.centurylinklabs.watchtower.enable=true
 
diff --git a/roles/prometheus/templates/docker-compose.yml.j2 b/roles/prometheus/templates/docker-compose.yml.j2
index 397ebcf..8507644 100644
--- a/roles/prometheus/templates/docker-compose.yml.j2
+++ b/roles/prometheus/templates/docker-compose.yml.j2
@@ -15,6 +15,11 @@ services:
     ports:
       - "127.0.0.1:9090:9090"
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=50m
     labels:
       - com.centurylinklabs.watchtower.enable=true