chore: systemd hardening (#1837)

* chore: systemd hardening

ProtectHome and InaccessiblePaths to senstive internal locations

* Apply suggestion from @pcnc

Co-authored-by: Paul Cioanca <[email protected]>

* chore: more paths

---------

Co-authored-by: Paul Cioanca <[email protected]>

Author: staaldraad

ansible/files/postgresql_config/postgresql.service.j2

@@ -22,7 +22,9 @@ OOMScoreAdjust=-1000
 EnvironmentFile=-/etc/environment.d/postgresql.env
 LimitNOFILE=16384
 {% if supabase_internal is defined %}
-ReadOnlyPaths=/etc
+ProtectHome=yes
+ReadOnlyPaths=/etc /opt
+InaccessiblePaths=-/var/lib/supabase -/var/lib/supabase-admin-agent -/var/lib/cloud -/var/cache/supabase-admin-agent -/opt/saltstack -/etc/salt
 {% endif %}
 [Install]
 WantedBy=multi-user.target

ansible/vars.yml

@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.5.1.042-orioledb"
-  postgres17: "17.6.1.021"
-  postgres15: "15.14.1.021"
+  postgresorioledb-17: "17.5.1.043-orioledb"
+  postgres17: "17.6.1.022"
+  postgres15: "15.14.1.022"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0